diff options
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/gunzip.c | 4 | ||||
| -rw-r--r-- | lib/lzma/LzmaTools.c | 8 | ||||
| -rw-r--r-- | lib/lzo/lzo1x_decompress.c | 8 |
3 files changed, 15 insertions, 5 deletions
diff --git a/lib/gunzip.c b/lib/gunzip.c index 9959781b000..35abfb38e17 100644 --- a/lib/gunzip.c +++ b/lib/gunzip.c @@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp, s.avail_out = dstlen; do { r = inflate(&s, Z_FINISH); - if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) { + if (stoponerr == 1 && r != Z_STREAM_END && + (s.avail_out == 0 || r != Z_BUF_ERROR)) { printf("Error: inflate() returned %d\n", r); inflateEnd(&s); return -1; } s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst); - s.avail_out = dstlen; } while (r == Z_BUF_ERROR); *lenp = s.next_out - (unsigned char *) dst; inflateEnd(&s); diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c index 8d1165e11bd..0aec2f9c76b 100644 --- a/lib/lzma/LzmaTools.c +++ b/lib/lzma/LzmaTools.c @@ -97,15 +97,19 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize, g_Alloc.Alloc = SzAlloc; g_Alloc.Free = SzFree; + /* Short-circuit early if we know the buffer can't hold the results. */ + if (outSizeFull != (SizeT)-1 && *uncompressedSize < outSizeFull) + return SZ_ERROR_OUTPUT_EOF; + /* Decompress */ - outProcessed = outSizeFull; + outProcessed = *uncompressedSize; WATCHDOG_RESET(); res = LzmaDecode( outStream, &outProcessed, inStream + LZMA_DATA_OFFSET, &compressedSize, - inStream, LZMA_PROPS_SIZE, LZMA_FINISH_ANY, &state, &g_Alloc); + inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc); *uncompressedSize = outProcessed; if (res != SZ_OK) { return res; diff --git a/lib/lzo/lzo1x_decompress.c b/lib/lzo/lzo1x_decompress.c index e6ff708f119..35f3793f31c 100644 --- a/lib/lzo/lzo1x_decompress.c +++ b/lib/lzo/lzo1x_decompress.c @@ -68,13 +68,14 @@ int lzop_decompress(const unsigned char *src, size_t src_len, unsigned char *start = dst; const unsigned char *send = src + src_len; u32 slen, dlen; - size_t tmp; + size_t tmp, remaining; int r; src = parse_header(src); if (!src) return LZO_E_ERROR; + remaining = *dst_len; while (src < send) { /* read uncompressed block size */ dlen = get_unaligned_be32(src); @@ -93,6 +94,10 @@ int lzop_decompress(const unsigned char *src, size_t src_len, if (slen <= 0 || slen > dlen) return LZO_E_ERROR; + /* abort if buffer ran out of room */ + if (dlen > remaining) + return LZO_E_OUTPUT_OVERRUN; + /* decompress */ tmp = dlen; r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp); @@ -105,6 +110,7 @@ int lzop_decompress(const unsigned char *src, size_t src_len, src += slen; dst += dlen; + remaining -= dlen; } return LZO_E_INPUT_OVERRUN; |