diff options
| author | Kees Cook <keescook@chromium.org> | 2013-08-16 07:59:13 -0700 |
|---|---|---|
| committer | Simon Glass <sjg@chromium.org> | 2013-09-03 13:30:14 -0600 |
| commit | b75650d84d4b7892179ae183523011f6d898423d (patch) | |
| tree | 4c665df9b1200fa6c26908aaa7c72ab3c2347a28 | |
| parent | 8ef70478458432b5352980a823039c508359523e (diff) | |
| download | u-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.zip u-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.tar.gz u-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.tar.bz2 | |
gzip: correctly bounds-check output buffer
The output buffer size must not be reset by the gzip decoder or there
is a risk of overflowing memory during decompression.
Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
| -rw-r--r-- | lib/gunzip.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/gunzip.c b/lib/gunzip.c index 9959781..35abfb3 100644 --- a/lib/gunzip.c +++ b/lib/gunzip.c @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp, s.avail_out = dstlen; do { r = inflate(&s, Z_FINISH); - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { + if (stoponerr == 1 && r != Z_STREAM_END && + (s.avail_out == 0 || r != Z_BUF_ERROR)) { printf("Error: inflate() returned %d\n", r); inflateEnd(&s); return -1; } s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); - s.avail_out = dstlen; } while (r == Z_BUF_ERROR); *lenp = s.next_out - (unsigned char *) dst; inflateEnd(&s); |