From: Kees Cook Date: Fri, 16 Aug 2013 14:59:13 +0000 (-0700) Subject: gzip: correctly bounds-check output buffer X-Git-Url: http://git.lede-project.org./?a=commitdiff_plain;h=b75650d84d4b7892179ae183523011f6d898423d;p=project%2Fbcm63xx%2Fu-boot.git gzip: correctly bounds-check output buffer The output buffer size must not be reset by the gzip decoder or there is a risk of overflowing memory during decompression. Signed-off-by: Kees Cook Acked-by: Simon Glass --- diff --git a/lib/gunzip.c b/lib/gunzip.c index 9959781b00..35abfb38e1 100644 --- a/lib/gunzip.c +++ b/lib/gunzip.c @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp, s.avail_out = dstlen; do { r = inflate(&s, Z_FINISH); - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { + if (stoponerr == 1 && r != Z_STREAM_END && + (s.avail_out == 0 || r != Z_BUF_ERROR)) { printf("Error: inflate() returned %d\n", r); inflateEnd(&s); return -1; } s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); - s.avail_out = dstlen; } while (r == Z_BUF_ERROR); *lenp = s.next_out - (unsigned char *) dst; inflateEnd(&s);