lzma: fix buffer bound check error further

Commit 4d3b8a0d fixed a problem with lzma decompress where it would
run out of bytes to decompress. The algorithm needs to know how many
uncompressed bytes it is expected to produce.

However, the fix introduced a potential buffer overrun, and causes
the compression test to fail (test_compression command in sandbox).

The correct fix seems to be to use the minimum of the expected number
of uncompressed bytes and the amount of output space available. That
way things work normally when there is enough space, and return an
error (without overrunning available space) when there is not.

Signed-off-by: Antonios Vamporakis <ant@area128.com>
CC: Kees Cook <keescook@chromium.org>
CC: Simon Glass <sjg@chromium.org>
CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
CC: Luka Perkov <luka@openwrt.org>
Signed-off-by: Simon Glass <sjg@chromium.org>

diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
index cfc7cb02f78d1b28bc35b94040873ce155004387..f88629b74f34f2e976d8497aa49a54944d87b67d 100644 (file)
--- a/lib/lzma/LzmaTools.c
+++ b/lib/lzma/LzmaTools.c
@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         return SZ_ERROR_OUTPUT_EOF;
 
     /* Decompress */
-    outProcessed = outSizeFull;
+    outProcessed = min(outSizeFull, *uncompressedSize);
 
     WATCHDOG_RESET();
 
@@ -112,7 +112,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
         inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
     *uncompressedSize = outProcessed;
 
-    debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
+    debug("LZMA: Uncompressed ............... 0x%zx\n", outProcessed);
 
     if (res != SZ_OK)  {
         return res;