From b75650d84d4b7892179ae183523011f6d898423d Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 16 Aug 2013 07:59:13 -0700 Subject: [PATCH] gzip: correctly bounds-check output buffer The output buffer size must not be reset by the gzip decoder or there is a risk of overflowing memory during decompression. Signed-off-by: Kees Cook Acked-by: Simon Glass --- lib/gunzip.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/lib/gunzip.c b/lib/gunzip.c index 9959781b00..35abfb38e1 100644 --- a/lib/gunzip.c +++ b/lib/gunzip.c @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp, s.avail_out = dstlen; do { r = inflate(&s, Z_FINISH); - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { + if (stoponerr == 1 && r != Z_STREAM_END && + (s.avail_out == 0 || r != Z_BUF_ERROR)) { printf("Error: inflate() returned %d\n", r); inflateEnd(&s); return -1; } s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); - s.avail_out = dstlen; } while (r == Z_BUF_ERROR); *lenp = s.next_out - (unsigned char *) dst; inflateEnd(&s); -- 2.30.2