[coreboot-gerrit] New patch to review for coreboot: libpayload: Fix possible NULL deref in cbfs_get_file_content()

[Nico Huber (nico.h@gmx.de)]

Nico Huber (nico.h at gmx.de) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/11780

-gerrit

commit 8f2f9feea98d61f2df2bddf0a2ebcbef72346df2
Author: Nico Huber <nico.huber at secunet.com>
Date:   Fri Oct 2 19:38:24 2015 +0200

    libpayload: Fix possible NULL deref in cbfs_get_file_content()
    
    Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
    Signed-off-by: Nico Huber <nico.huber at secunet.com>
---
 payloads/libpayload/libcbfs/cbfs_core.c | 13 +++++++------
 1 file changed, 7 insertions(+), 6 deletions(-)

diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c
index 4c898c6..369d946 100644
--- a/payloads/libpayload/libcbfs/cbfs_core.c
+++ b/payloads/libpayload/libcbfs/cbfs_core.c
@@ -207,14 +207,12 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
 		return NULL;
 	}
 
-	if (sz)
-		*sz = ntohl(file->len);
-
 	void *file_content = (void *)CBFS_SUBHEADER(file);
 
 	struct cbfs_file_attribute *attr =
 		cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION);
 
+	size_t final_size = ntohl(file->len);
 	int compression_algo = CBFS_COMPRESS_NONE;
 	if (attr) {
 		struct cbfs_file_attr_compression *comp =
@@ -222,16 +220,19 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
 		compression_algo = ntohl(comp->compression);
 		DEBUG("File '%s' is compressed (alg=%d)\n",
 		      name, compression_algo);
-		*sz = ntohl(comp->decompressed_size);
+		final_size = ntohl(comp->decompressed_size);
 	}
 
-	void *dst = malloc(*sz);
+	void *dst = malloc(final_size);
 	if (dst == NULL)
 		goto err;
 
-	if (!cbfs_decompress(compression_algo, file_content, dst, *sz))
+	if (!cbfs_decompress(compression_algo, file_content, dst, final_size))
 		goto err;
 
+	if (sz)
+		*sz = final_size;
+
 	media->unmap(media, file);
 	return dst;