summaryrefslogtreecommitdiff
path: root/lib/gunzip.c
diff options
context:
space:
mode:
authorKees Cook <keescook@chromium.org>2013-08-16 07:59:13 -0700
committerSimon Glass <sjg@chromium.org>2013-09-03 13:30:14 -0600
commitb75650d84d4b7892179ae183523011f6d898423d (patch)
tree4c665df9b1200fa6c26908aaa7c72ab3c2347a28 /lib/gunzip.c
parent8ef70478458432b5352980a823039c508359523e (diff)
downloadu-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.zip
u-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.tar.gz
u-boot-imx-b75650d84d4b7892179ae183523011f6d898423d.tar.bz2
gzip: correctly bounds-check output buffer
The output buffer size must not be reset by the gzip decoder or there is a risk of overflowing memory during decompression. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
Diffstat (limited to 'lib/gunzip.c')
-rw-r--r--lib/gunzip.c4
1 files changed, 2 insertions, 2 deletions
diff --git a/lib/gunzip.c b/lib/gunzip.c
index 9959781..35abfb3 100644
--- a/lib/gunzip.c
+++ b/lib/gunzip.c
@@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
s.avail_out = dstlen;
do {
r = inflate(&s, Z_FINISH);
- if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
+ if (stoponerr == 1 && r != Z_STREAM_END &&
+ (s.avail_out == 0 || r != Z_BUF_ERROR)) {
printf("Error: inflate() returned %d\n", r);
inflateEnd(&s);
return -1;
}
s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
- s.avail_out = dstlen;
} while (r == Z_BUF_ERROR);
*lenp = s.next_out - (unsigned char *) dst;
inflateEnd(&s);