1 From: Antonios Vamporakis <ant@area128.com>
2 Date: Tue, 31 Dec 2013 01:05:42 +0100
3 Subject: [PATCH] lzma: fix buffer bound check error
5 Variable uncompressedSize references the space available, while outSizeFull is
6 the actual expected uncompressed size. Using the wrong value causes LzmaDecode
7 to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
8 at it add additional debug message.
10 Signed-off-by: Antonios Vamporakis <ant@area128.com>
11 CC: Kees Cook <keescook@chromium.org>
12 CC: Simon Glass <sjg@chromium.org>
13 CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
14 CC: Luka Perkov <luka@openwrt.org>
16 lib/lzma/LzmaTools.c | 5 ++++-
17 1 file changed, 4 insertions(+), 1 deletion(-)
19 --- a/lib/lzma/LzmaTools.c
20 +++ b/lib/lzma/LzmaTools.c
21 @@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned c
22 return SZ_ERROR_OUTPUT_EOF;
25 - outProcessed = *uncompressedSize;
26 + outProcessed = outSizeFull;
30 @@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned c
31 inStream + LZMA_DATA_OFFSET, &compressedSize,
32 inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
33 *uncompressedSize = outProcessed;
35 + debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);