Patrick Georgi (pgeorgi@google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/11016
-gerrit
commit a93cb2ac1a089d06b50b47ad07a98892e6f7b281 Author: Julius Werner jwerner@chromium.org Date: Thu Jul 16 13:59:57 2015 -0700
libpayload: lz4: Add output overrun check to incompressible case
The LZ4 decompressor currently doesn't check for output overruns before writing data in the case where a block had been incompressible (and included verbatim in the compression stream). This is extremely unlikely with the default 4MB blocks, but still a nice thing to fix. We'll still output as much data as we can before returning an error to support partial decompression use cases.
This matches the behavior already in place for normal, LZ4-compressed blocks where the decompression function is already (supposed to be) doing complete bounds checking (although it is not guaranteed to output all valid bytes before aborting on an output overrun, and you should try to provide a few dozen bytes of extra buffer space beyond the parts you're interested in on partial decompression).
BRANCH=None BUG=chrome-os-partner:32184 TEST=None
Change-Id: I5e40c8cec8947ec0ec8f6d8c8fa2574cfb4dc958 Signed-off-by: Patrick Georgi pgeorgi@chromium.org Original-Commit-Id: 636985334c9b3b93a12d4066d2829f1f999c9315 Original-Change-Id: Iecf44650aade60b9fa1b13e57da752fb482a3f3f Original-Signed-off-by: Julius Werner jwerner@chromium.org Original-Reviewed-on: https://chromium-review.googlesource.com/286240 Original-Reviewed-by: Aaron Durbin adurbin@chromium.org --- payloads/libpayload/liblz4/lz4_wrapper.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c index b046597..431fb55 100644 --- a/payloads/libpayload/liblz4/lz4_wrapper.c +++ b/payloads/libpayload/liblz4/lz4_wrapper.c @@ -132,8 +132,12 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn) return out - dst; /* decompression successful */
if (b.not_compressed) { - memcpy(out, in, b.size); - out += b.size; + size_t size = MIN((u32)b.size, dst + dstn - out); + memcpy(out, in, size); + if (size < b.size) + return 0; /* output overrun */ + else + out += size; } else { /* constant folding essential, do not touch params! */ int ret = LZ4_decompress_generic(in, out, b.size,