[coreboot-gerrit] New patch to review for coreboot: libpayload: lz4: Add output overrun check to incompressible case

Patrick Georgi (pgeorgi@google.com) gerrit at coreboot.org
Mon Jul 20 22:36:47 CEST 2015 

Patrick Georgi (pgeorgi at google.com) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/11016

-gerrit

commit a93cb2ac1a089d06b50b47ad07a98892e6f7b281
Author: Julius Werner <jwerner at chromium.org>
Date:   Thu Jul 16 13:59:57 2015 -0700

    libpayload: lz4: Add output overrun check to incompressible case
    
    The LZ4 decompressor currently doesn't check for output overruns before
    writing data in the case where a block had been incompressible (and
    included verbatim in the compression stream). This is extremely unlikely
    with the default 4MB blocks, but still a nice thing to fix. We'll still
    output as much data as we can before returning an error to support
    partial decompression use cases.
    
    This matches the behavior already in place for normal, LZ4-compressed
    blocks where the decompression function is already (supposed to be)
    doing complete bounds checking (although it is not guaranteed to output
    all valid bytes before aborting on an output overrun, and you should try
    to provide a few dozen bytes of extra buffer space beyond the parts
    you're interested in on partial decompression).
    
    BRANCH=None
    BUG=chrome-os-partner:32184
    TEST=None
    
    Change-Id: I5e40c8cec8947ec0ec8f6d8c8fa2574cfb4dc958
    Signed-off-by: Patrick Georgi <pgeorgi at chromium.org>
    Original-Commit-Id: 636985334c9b3b93a12d4066d2829f1f999c9315
    Original-Change-Id: Iecf44650aade60b9fa1b13e57da752fb482a3f3f
    Original-Signed-off-by: Julius Werner <jwerner at chromium.org>
    Original-Reviewed-on: https://chromium-review.googlesource.com/286240
    Original-Reviewed-by: Aaron Durbin <adurbin at chromium.org>
---
 payloads/libpayload/liblz4/lz4_wrapper.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c
index b046597..431fb55 100644
--- a/payloads/libpayload/liblz4/lz4_wrapper.c
+++ b/payloads/libpayload/liblz4/lz4_wrapper.c
@@ -132,8 +132,12 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
 			return out - dst;	/* decompression successful */
 
 		if (b.not_compressed) {
-			memcpy(out, in, b.size);
-			out += b.size;
+			size_t size = MIN((u32)b.size, dst + dstn - out);
+			memcpy(out, in, size);
+			if (size < b.size)
+				return 0;	/* output overrun */
+			else
+				out += size;
 		} else {
 			/* constant folding essential, do not touch params! */
 			int ret = LZ4_decompress_generic(in, out, b.size,

More information about the coreboot-gerrit mailing list