[coreboot-gerrit] New patch to review for coreboot: libpayload: Fix possible NULL deref in cbfs_get_file_content()
Nico Huber (nico.h@gmx.de)
gerrit at coreboot.org
Fri Oct 2 17:42:00 CET 2015
Nico Huber (nico.h at gmx.de) just uploaded a new patch set to gerrit, which you can find at http://review.coreboot.org/11780
-gerrit
commit 8f2f9feea98d61f2df2bddf0a2ebcbef72346df2
Author: Nico Huber <nico.huber at secunet.com>
Date: Fri Oct 2 19:38:24 2015 +0200
libpayload: Fix possible NULL deref in cbfs_get_file_content()
Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
Signed-off-by: Nico Huber <nico.huber at secunet.com>
---
payloads/libpayload/libcbfs/cbfs_core.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c
index 4c898c6..369d946 100644
--- a/payloads/libpayload/libcbfs/cbfs_core.c
+++ b/payloads/libpayload/libcbfs/cbfs_core.c
@@ -207,14 +207,12 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
return NULL;
}
- if (sz)
- *sz = ntohl(file->len);
-
void *file_content = (void *)CBFS_SUBHEADER(file);
struct cbfs_file_attribute *attr =
cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION);
+ size_t final_size = ntohl(file->len);
int compression_algo = CBFS_COMPRESS_NONE;
if (attr) {
struct cbfs_file_attr_compression *comp =
@@ -222,16 +220,19 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
compression_algo = ntohl(comp->compression);
DEBUG("File '%s' is compressed (alg=%d)\n",
name, compression_algo);
- *sz = ntohl(comp->decompressed_size);
+ final_size = ntohl(comp->decompressed_size);
}
- void *dst = malloc(*sz);
+ void *dst = malloc(final_size);
if (dst == NULL)
goto err;
- if (!cbfs_decompress(compression_algo, file_content, dst, *sz))
+ if (!cbfs_decompress(compression_algo, file_content, dst, final_size))
goto err;
+ if (sz)
+ *sz = final_size;
+
media->unmap(media, file);
return dst;
More information about the coreboot-gerrit
mailing list