lzma: correctly bounds-check output buffer

The output buffer size must be correctly passed to the lzma decoder or there is a risk of overflowing memory during decompression. Switching to the LZMA_FINISH_END mode means nothing is left in an unknown state once the buffer becomes full. Signed-off-by: Kees Cook <[email protected]> Acked-by: Simon Glass <[email protected]>
mlan3 · Sep 3, 2013 · afca294 · afca294
1 parent b75650d
commit afca294
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
@@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
     g_Alloc.Alloc = SzAlloc;
     g_Alloc.Free = SzFree;
 
+    /* Short-circuit early if we know the buffer can't hold the results. */
+    if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull)
+        return SZ_ERROR_OUTPUT_EOF;
+
     /* Decompress */
-    outProcessed = outSizeFull;
+    outProcessed = *uncompressedSize;
 
     WATCHDOG_RESET();
 
     res = LzmaDecode(
         outStream, &outProcessed,
         inStream + LZMA_DATA_OFFSET, &compressedSize,
-        inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc);
+        inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
     *uncompressedSize = outProcessed;
     if (res != SZ_OK)  {
         return res;