[coreboot-gerrit] New patch to review for coreboot: libpayload: lzma: Allocate scratchpad on the heap

Julius Werner (jwerner@chromium.org) gerrit at coreboot.org
Sat Aug 6 06:41:35 CEST 2016 

Julius Werner (jwerner at chromium.org) just uploaded a new patch set to gerrit, which you can find at https://review.coreboot.org/16089

-gerrit

commit 15ccdd86a02050560a2aca057ba745e5ef3d144d
Author: Julius Werner <jwerner at chromium.org>
Date:   Fri Aug 5 20:43:47 2016 -0700

    libpayload: lzma: Allocate scratchpad on the heap
    
    Allocating a 15980-byte scratchpad on the stack when your default stack
    size is set to 16KB is really not a great idea. We're regularly
    overflowing into the end of our heap when using LZMA in libpayload, and
    just happen not to notice it because the heap rarely gets filled up all
    the way. Of course, since we always *have* a heap in libpayload, the
    much saner solution is to just use it directly to allocate the
    scratchpad rather than accidentally grow backwards into it anyway.
    
    Change-Id: Ibe4f02057a32bd156a126302178fa6fcab637d2c
    Signed-off-by: Julius Werner <jwerner at chromium.org>
---
 payloads/libpayload/liblzma/lzma.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/payloads/libpayload/liblzma/lzma.c b/payloads/libpayload/liblzma/lzma.c
index 767eb86..57a8b3a 100644
--- a/payloads/libpayload/liblzma/lzma.c
+++ b/payloads/libpayload/liblzma/lzma.c
@@ -10,6 +10,7 @@
  */
 
 #include <lzma.h>
+#include <stdlib.h>
 #include <stdio.h>
 #include <string.h>
 #include "lzmadecode.c"
@@ -25,7 +26,7 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn,
 	int res;
 	CLzmaDecoderState state;
 	SizeT mallocneeds;
-	unsigned char scratchpad[15980];
+	unsigned char *scratchpad;
 
 	memcpy(properties, src, LZMA_PROPERTIES_SIZE);
 	memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize));
@@ -37,13 +38,16 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn,
 		return 0;
 	}
 	mallocneeds = (LzmaGetNumProbs(&state.Properties) * sizeof(CProb));
-	if (mallocneeds > 15980) {
-		printf("lzma: Decoder scratchpad too small!\n");
+	scratchpad = malloc(mallocneeds);
+	if (!scratchpad) {
+		printf("lzma: Cannot allocate %u bytes for scratchpad!\n",
+		       mallocneeds);
 		return 0;
 	}
 	state.Probs = (CProb *)scratchpad;
 	res = LzmaDecode(&state, src + data_offset, srcn - data_offset,
 			 &inProcessed, dst, outSize, &outProcessed);
+	free(scratchpad);
 	if (res != 0) {
 		printf("lzma: Decoding error = %d\n", res);
 		return 0;

More information about the coreboot-gerrit mailing list