[coreboot] r594 - in coreboot-v3/util: lar lzma nrv2b

Wed Feb 13 23:15:59 CET 2008

Author: myles
Date: 2008-02-13 23:15:59 +0100 (Wed, 13 Feb 2008)
New Revision: 594

Modified:
   coreboot-v3/util/lar/lar.h
   coreboot-v3/util/lar/lib.c
   coreboot-v3/util/lar/stream.c
   coreboot-v3/util/lzma/minilzma.cc
   coreboot-v3/util/nrv2b/nrv2b.c
Log:
This patch adds dst_len for the lar uncompress functions, enabling
buffer overflow checks.  It exits with an error instead of
overflowing.

Signed-off-by: Myles Watson <myles at pel.cs.byu.edu>
Acked-by: Ronald G. Minnich <rminnich at gmail.com>


Modified: coreboot-v3/util/lar/lar.h
===================================================================

--- coreboot-v3/util/lar/lar.h	2008-02-13 21:00:20 UTC (rev 593)
+++ coreboot-v3/util/lar/lar.h	2008-02-13 22:15:59 UTC (rev 594)
@@ -94,17 +94,17 @@
 enum compalgo { none = 0, lzma = 1, nrv2b = 2 };
 
 typedef void (*compress_func) (char *, int, char *, int *);
-typedef void (*uncompress_func) (char *, char *, int);
+typedef void (*uncompress_func) (char *, int, char *, int);
 
 void compress_impossible(char *in, int in_len, char *out, int *out_len);
 void do_no_compress(char *in, int in_len, char *out, int *out_len);
 void do_lzma_compress(char *in, int in_len, char *out, int *out_len);
 void do_nrv2b_compress(char *in, int in_len, char *out, int *out_len);
 
-void uncompress_impossible(char *, char *, int);
-void do_no_uncompress(char *, char *, int);
-void do_lzma_uncompress(char *, char *, int);
-void do_nrv2b_uncompress(char *, char *, int);
+void uncompress_impossible(char *dst, int dst_len, char *src, int src_len);
+void do_no_uncompress(char *dst, int dst_len, char *src, int src_len);
+void do_lzma_uncompress(char *dst, int dst_len, char *src, int src_len);
+void do_nrv2b_uncompress(char *dst, int dst_len, char *src, int src_len);
 
 static compress_func compress_functions[] = {
 	do_no_compress,

Modified: coreboot-v3/util/lar/lib.c
===================================================================
--- coreboot-v3/util/lar/lib.c	2008-02-13 21:00:20 UTC (rev 593)
+++ coreboot-v3/util/lar/lib.c	2008-02-13 22:15:59 UTC (rev 594)
@@ -60,15 +60,22 @@
  * The default "uncompress" hook to call when no other compression is used
  */
 
-void do_no_uncompress(char *dst, char *src, int len)
+void do_no_uncompress(char *dst, int dst_len, char *src, int src_len)
 {
-	memcpy(dst, src, len);
+	if (dst_len == src_len)
+		memcpy(dst, src, dst_len);
+	else
+	{
+		fprintf(stderr,"%s: src_len(%d)!=dst_len(%d)\n",
+			__FUNCTION__,src_len,dst_len);
+		exit(1);
+	}
 }
 
 /**
  * The default "uncompress" hook to call when no other compression is used
  */
-void uncompress_impossible(char *dst, char *src, int len)
+void uncompress_impossible(char *dst, int dst_len, char *src, int src_len)
 {
 	fprintf(stderr,
 		"Cannot uncompress data (algorithm not compiled in).\n");

Modified: coreboot-v3/util/lar/stream.c
===================================================================
--- coreboot-v3/util/lar/stream.c	2008-02-13 21:00:20 UTC (rev 593)
+++ coreboot-v3/util/lar/stream.c	2008-02-13 22:15:59 UTC (rev 594)
@@ -685,6 +685,7 @@
 
 				uncompress_functions[ntohl(header->compression)](
 					(char*) buf,
+					ntohl(header->reallen),
 					(char *) ptr + ntohl(header->offset),
 					ntohl(header->len));
 

Modified: coreboot-v3/util/lzma/minilzma.cc
===================================================================
--- coreboot-v3/util/lzma/minilzma.cc	2008-02-13 21:00:20 UTC (rev 593)
+++ coreboot-v3/util/lzma/minilzma.cc	2008-02-13 22:15:59 UTC (rev 594)
@@ -280,18 +280,24 @@
 #else
 extern "C" {
 
-void do_lzma_compress(char *in, int in_len, char *out,
-		      int *out_len) {
+void do_lzma_compress(char *in, int in_len, char *out, int *out_len) {
 	std::vector<unsigned char> result;
 	result = LZMACompress(std::vector<unsigned char>(in, in + in_len));
 	*out_len = result.size();
 	std::memcpy(out, &result[0], *out_len);
 }
 
-void do_lzma_uncompress(char *dst, char *src, int len) {
+void do_lzma_uncompress(char *dst, int dst_len, char *src, int src_len) {
 	std::vector<unsigned char> result;
-	result = LZMADeCompress(std::vector<unsigned char>(src, src + len));
-	std::memcpy(dst, &result[0], result.size());
+	result = LZMADeCompress(std::vector<unsigned char>(src, src + src_len));
+	if (result.size() <= dst_len)
+		std::memcpy(dst, &result[0], result.size());
+	else
+	{
+		fprintf(stderr, "Not copying %d bytes to %d-byte buffer!\n",
+			result.size(), dst_len);
+		exit(1);
+	}
 }
 
 }

Modified: coreboot-v3/util/nrv2b/nrv2b.c
===================================================================
--- coreboot-v3/util/nrv2b/nrv2b.c	2008-02-13 21:00:20 UTC (rev 593)
+++ coreboot-v3/util/nrv2b/nrv2b.c	2008-02-13 22:15:59 UTC (rev 594)
@@ -1338,16 +1338,16 @@
 #error "Bad Combination of ENDIAN and BITSIZE values specified"
 #endif
 
-#undef SAFE
+#define SAFE
 
 #ifdef SAFE
-#define FAIL(x,r)   if (x) { Error(r); }
+#define FAIL(x,r)   if (x) { fprintf(stderr,r); exit(1); }
 #else
 #define FAIL(x,r)
 #endif
 
 #ifdef COMPACT
-void do_nrv2b_uncompress(uint8_t *dst, uint8_t *src, int len) {
+void do_nrv2b_uncompress(uint8_t *dst, int dst_len, uint8_t *src, int src_len) {
 	unsigned long ilen = 0, olen = 0, last_m_off = 1;
 	uint32_t bb = 0;
 	unsigned bc = 0;



