lzo: correctly bounds-check output buffer

This checks the size of the output buffer and fails if it was going to
overflow the buffer during lzo decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>

diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c
index e6ff708f11999e0ddf96efe06818d61c15fa382c..35f3793f31c61e045df3c634b5299d7c735fc623 100644 (file)
--- a/lib/lzo/lzo1x_decompress.c
+++ b/lib/lzo/lzo1x_decompress.c
@@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
        unsigned char *start = dst;
        const unsigned char *send = src + src_len;
        u32 slen, dlen;
-       size_t tmp;
+       size_t tmp, remaining;
        int r;
 
        src = parse_header(src);
        if (!src)
                return LZO_E_ERROR;
 
+       remaining = *dst_len;
        while (src < send) {
                /* read uncompressed block size */
                dlen = get_unaligned_be32(src);
@@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
                if (slen <= 0 || slen > dlen)
                        return LZO_E_ERROR;
 
+               /* abort if buffer ran out of room */
+               if (dlen > remaining)
+                       return LZO_E_OUTPUT_OVERRUN;
+
                /* decompress */
                tmp = dlen;
                r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
@@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len,
 
                src += slen;
                dst += dlen;
+               remaining -= dlen;
        }
 
        return LZO_E_INPUT_OVERRUN;