gzip: correctly bounds-check output buffer

The output buffer size must not be reset by the gzip decoder or there
is a risk of overflowing memory during decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>
This commit is contained in:
Kees Cook 2013-08-16 07:59:13 -07:00 committed by Simon Glass
parent 8ef7047845
commit b75650d84d

View File

@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
s.avail_out = dstlen;
do {
r = inflate(&s, Z_FINISH);
if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
if (stoponerr == 1 && r != Z_STREAM_END &&
(s.avail_out == 0 || r != Z_BUF_ERROR)) {
printf("Error: inflate() returned %d\n", r);
inflateEnd(&s);
return -1;
}
s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
s.avail_out = dstlen;
} while (r == Z_BUF_ERROR);
*lenp = s.next_out - (unsigned char *) dst;
inflateEnd(&s);