mirror of
				https://source.denx.de/u-boot/u-boot.git
				synced 2025-10-25 14:31:21 +02:00 
			
		
		
		
	This checks the size of the output buffer and fails if it was going to overflow the buffer during lzo decompression. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: Simon Glass <sjg@chromium.org>
		
			
				
	
	
		
			338 lines
		
	
	
		
			6.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			338 lines
		
	
	
		
			6.6 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /*
 | |
|  *  LZO1X Decompressor from MiniLZO
 | |
|  *
 | |
|  *  Copyright (C) 1996-2005 Markus F.X.J. Oberhumer <markus@oberhumer.com>
 | |
|  *
 | |
|  *  The full LZO package can be found at:
 | |
|  *  http://www.oberhumer.com/opensource/lzo/
 | |
|  *
 | |
|  *  Changed for kernel use by:
 | |
|  *  Nitin Gupta <nitingupta910@gmail.com>
 | |
|  *  Richard Purdie <rpurdie@openedhand.com>
 | |
|  */
 | |
| 
 | |
| #include <common.h>
 | |
| #include <linux/lzo.h>
 | |
| #include <asm/byteorder.h>
 | |
| #include <asm/unaligned.h>
 | |
| #include "lzodefs.h"
 | |
| 
 | |
| #define HAVE_IP(x, ip_end, ip) ((size_t)(ip_end - ip) < (x))
 | |
| #define HAVE_OP(x, op_end, op) ((size_t)(op_end - op) < (x))
 | |
| #define HAVE_LB(m_pos, out, op) (m_pos < out || m_pos >= op)
 | |
| 
 | |
| #define COPY4(dst, src)	\
 | |
| 		put_unaligned(get_unaligned((const u32 *)(src)), (u32 *)(dst))
 | |
| 
 | |
| static const unsigned char lzop_magic[] = {
 | |
| 	0x89, 0x4c, 0x5a, 0x4f, 0x00, 0x0d, 0x0a, 0x1a, 0x0a
 | |
| };
 | |
| 
 | |
| #define HEADER_HAS_FILTER	0x00000800L
 | |
| 
 | |
| static inline const unsigned char *parse_header(const unsigned char *src)
 | |
| {
 | |
| 	u16 version;
 | |
| 	int i;
 | |
| 
 | |
| 	/* read magic: 9 first bytes */
 | |
| 	for (i = 0; i < ARRAY_SIZE(lzop_magic); i++) {
 | |
| 		if (*src++ != lzop_magic[i])
 | |
| 			return NULL;
 | |
| 	}
 | |
| 	/* get version (2bytes), skip library version (2),
 | |
| 	 * 'need to be extracted' version (2) and
 | |
| 	 * method (1) */
 | |
| 	version = get_unaligned_be16(src);
 | |
| 	src += 7;
 | |
| 	if (version >= 0x0940)
 | |
| 		src++;
 | |
| 	if (get_unaligned_be32(src) & HEADER_HAS_FILTER)
 | |
| 		src += 4; /* filter info */
 | |
| 
 | |
| 	/* skip flags, mode and mtime_low */
 | |
| 	src += 12;
 | |
| 	if (version >= 0x0940)
 | |
| 		src += 4;	/* skip mtime_high */
 | |
| 
 | |
| 	i = *src++;
 | |
| 	/* don't care about the file name, and skip checksum */
 | |
| 	src += i + 4;
 | |
| 
 | |
| 	return src;
 | |
| }
 | |
| 
 | |
| int lzop_decompress(const unsigned char *src, size_t src_len,
 | |
| 		    unsigned char *dst, size_t *dst_len)
 | |
| {
 | |
| 	unsigned char *start = dst;
 | |
| 	const unsigned char *send = src + src_len;
 | |
| 	u32 slen, dlen;
 | |
| 	size_t tmp, remaining;
 | |
| 	int r;
 | |
| 
 | |
| 	src = parse_header(src);
 | |
| 	if (!src)
 | |
| 		return LZO_E_ERROR;
 | |
| 
 | |
| 	remaining = *dst_len;
 | |
| 	while (src < send) {
 | |
| 		/* read uncompressed block size */
 | |
| 		dlen = get_unaligned_be32(src);
 | |
| 		src += 4;
 | |
| 
 | |
| 		/* exit if last block */
 | |
| 		if (dlen == 0) {
 | |
| 			*dst_len = dst - start;
 | |
| 			return LZO_E_OK;
 | |
| 		}
 | |
| 
 | |
| 		/* read compressed block size, and skip block checksum info */
 | |
| 		slen = get_unaligned_be32(src);
 | |
| 		src += 8;
 | |
| 
 | |
| 		if (slen <= 0 || slen > dlen)
 | |
| 			return LZO_E_ERROR;
 | |
| 
 | |
| 		/* abort if buffer ran out of room */
 | |
| 		if (dlen > remaining)
 | |
| 			return LZO_E_OUTPUT_OVERRUN;
 | |
| 
 | |
| 		/* decompress */
 | |
| 		tmp = dlen;
 | |
| 		r = lzo1x_decompress_safe((u8 *) src, slen, dst, &tmp);
 | |
| 
 | |
| 		if (r != LZO_E_OK)
 | |
| 			return r;
 | |
| 
 | |
| 		if (dlen != tmp)
 | |
| 			return LZO_E_ERROR;
 | |
| 
 | |
| 		src += slen;
 | |
| 		dst += dlen;
 | |
| 		remaining -= dlen;
 | |
| 	}
 | |
| 
 | |
| 	return LZO_E_INPUT_OVERRUN;
 | |
| }
 | |
| 
 | |
| int lzo1x_decompress_safe(const unsigned char *in, size_t in_len,
 | |
| 			unsigned char *out, size_t *out_len)
 | |
| {
 | |
| 	const unsigned char * const ip_end = in + in_len;
 | |
| 	unsigned char * const op_end = out + *out_len;
 | |
| 	const unsigned char *ip = in, *m_pos;
 | |
| 	unsigned char *op = out;
 | |
| 	size_t t;
 | |
| 
 | |
| 	*out_len = 0;
 | |
| 
 | |
| 	if (*ip > 17) {
 | |
| 		t = *ip++ - 17;
 | |
| 		if (t < 4)
 | |
| 			goto match_next;
 | |
| 		if (HAVE_OP(t, op_end, op))
 | |
| 			goto output_overrun;
 | |
| 		if (HAVE_IP(t + 1, ip_end, ip))
 | |
| 			goto input_overrun;
 | |
| 		do {
 | |
| 			*op++ = *ip++;
 | |
| 		} while (--t > 0);
 | |
| 		goto first_literal_run;
 | |
| 	}
 | |
| 
 | |
| 	while ((ip < ip_end)) {
 | |
| 		t = *ip++;
 | |
| 		if (t >= 16)
 | |
| 			goto match;
 | |
| 		if (t == 0) {
 | |
| 			if (HAVE_IP(1, ip_end, ip))
 | |
| 				goto input_overrun;
 | |
| 			while (*ip == 0) {
 | |
| 				t += 255;
 | |
| 				ip++;
 | |
| 				if (HAVE_IP(1, ip_end, ip))
 | |
| 					goto input_overrun;
 | |
| 			}
 | |
| 			t += 15 + *ip++;
 | |
| 		}
 | |
| 		if (HAVE_OP(t + 3, op_end, op))
 | |
| 			goto output_overrun;
 | |
| 		if (HAVE_IP(t + 4, ip_end, ip))
 | |
| 			goto input_overrun;
 | |
| 
 | |
| 		COPY4(op, ip);
 | |
| 		op += 4;
 | |
| 		ip += 4;
 | |
| 		if (--t > 0) {
 | |
| 			if (t >= 4) {
 | |
| 				do {
 | |
| 					COPY4(op, ip);
 | |
| 					op += 4;
 | |
| 					ip += 4;
 | |
| 					t -= 4;
 | |
| 				} while (t >= 4);
 | |
| 				if (t > 0) {
 | |
| 					do {
 | |
| 						*op++ = *ip++;
 | |
| 					} while (--t > 0);
 | |
| 				}
 | |
| 			} else {
 | |
| 				do {
 | |
| 					*op++ = *ip++;
 | |
| 				} while (--t > 0);
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| first_literal_run:
 | |
| 		t = *ip++;
 | |
| 		if (t >= 16)
 | |
| 			goto match;
 | |
| 		m_pos = op - (1 + M2_MAX_OFFSET);
 | |
| 		m_pos -= t >> 2;
 | |
| 		m_pos -= *ip++ << 2;
 | |
| 
 | |
| 		if (HAVE_LB(m_pos, out, op))
 | |
| 			goto lookbehind_overrun;
 | |
| 
 | |
| 		if (HAVE_OP(3, op_end, op))
 | |
| 			goto output_overrun;
 | |
| 		*op++ = *m_pos++;
 | |
| 		*op++ = *m_pos++;
 | |
| 		*op++ = *m_pos;
 | |
| 
 | |
| 		goto match_done;
 | |
| 
 | |
| 		do {
 | |
| match:
 | |
| 			if (t >= 64) {
 | |
| 				m_pos = op - 1;
 | |
| 				m_pos -= (t >> 2) & 7;
 | |
| 				m_pos -= *ip++ << 3;
 | |
| 				t = (t >> 5) - 1;
 | |
| 				if (HAVE_LB(m_pos, out, op))
 | |
| 					goto lookbehind_overrun;
 | |
| 				if (HAVE_OP(t + 3 - 1, op_end, op))
 | |
| 					goto output_overrun;
 | |
| 				goto copy_match;
 | |
| 			} else if (t >= 32) {
 | |
| 				t &= 31;
 | |
| 				if (t == 0) {
 | |
| 					if (HAVE_IP(1, ip_end, ip))
 | |
| 						goto input_overrun;
 | |
| 					while (*ip == 0) {
 | |
| 						t += 255;
 | |
| 						ip++;
 | |
| 						if (HAVE_IP(1, ip_end, ip))
 | |
| 							goto input_overrun;
 | |
| 					}
 | |
| 					t += 31 + *ip++;
 | |
| 				}
 | |
| 				m_pos = op - 1;
 | |
| 				m_pos -= get_unaligned_le16(ip) >> 2;
 | |
| 				ip += 2;
 | |
| 			} else if (t >= 16) {
 | |
| 				m_pos = op;
 | |
| 				m_pos -= (t & 8) << 11;
 | |
| 
 | |
| 				t &= 7;
 | |
| 				if (t == 0) {
 | |
| 					if (HAVE_IP(1, ip_end, ip))
 | |
| 						goto input_overrun;
 | |
| 					while (*ip == 0) {
 | |
| 						t += 255;
 | |
| 						ip++;
 | |
| 						if (HAVE_IP(1, ip_end, ip))
 | |
| 							goto input_overrun;
 | |
| 					}
 | |
| 					t += 7 + *ip++;
 | |
| 				}
 | |
| 				m_pos -= get_unaligned_le16(ip) >> 2;
 | |
| 				ip += 2;
 | |
| 				if (m_pos == op)
 | |
| 					goto eof_found;
 | |
| 				m_pos -= 0x4000;
 | |
| 			} else {
 | |
| 				m_pos = op - 1;
 | |
| 				m_pos -= t >> 2;
 | |
| 				m_pos -= *ip++ << 2;
 | |
| 
 | |
| 				if (HAVE_LB(m_pos, out, op))
 | |
| 					goto lookbehind_overrun;
 | |
| 				if (HAVE_OP(2, op_end, op))
 | |
| 					goto output_overrun;
 | |
| 
 | |
| 				*op++ = *m_pos++;
 | |
| 				*op++ = *m_pos;
 | |
| 				goto match_done;
 | |
| 			}
 | |
| 
 | |
| 			if (HAVE_LB(m_pos, out, op))
 | |
| 				goto lookbehind_overrun;
 | |
| 			if (HAVE_OP(t + 3 - 1, op_end, op))
 | |
| 				goto output_overrun;
 | |
| 
 | |
| 			if (t >= 2 * 4 - (3 - 1) && (op - m_pos) >= 4) {
 | |
| 				COPY4(op, m_pos);
 | |
| 				op += 4;
 | |
| 				m_pos += 4;
 | |
| 				t -= 4 - (3 - 1);
 | |
| 				do {
 | |
| 					COPY4(op, m_pos);
 | |
| 					op += 4;
 | |
| 					m_pos += 4;
 | |
| 					t -= 4;
 | |
| 				} while (t >= 4);
 | |
| 				if (t > 0)
 | |
| 					do {
 | |
| 						*op++ = *m_pos++;
 | |
| 					} while (--t > 0);
 | |
| 			} else {
 | |
| copy_match:
 | |
| 				*op++ = *m_pos++;
 | |
| 				*op++ = *m_pos++;
 | |
| 				do {
 | |
| 					*op++ = *m_pos++;
 | |
| 				} while (--t > 0);
 | |
| 			}
 | |
| match_done:
 | |
| 			t = ip[-2] & 3;
 | |
| 			if (t == 0)
 | |
| 				break;
 | |
| match_next:
 | |
| 			if (HAVE_OP(t, op_end, op))
 | |
| 				goto output_overrun;
 | |
| 			if (HAVE_IP(t + 1, ip_end, ip))
 | |
| 				goto input_overrun;
 | |
| 
 | |
| 			*op++ = *ip++;
 | |
| 			if (t > 1) {
 | |
| 				*op++ = *ip++;
 | |
| 				if (t > 2)
 | |
| 					*op++ = *ip++;
 | |
| 			}
 | |
| 
 | |
| 			t = *ip++;
 | |
| 		} while (ip < ip_end);
 | |
| 	}
 | |
| 
 | |
| 	*out_len = op - out;
 | |
| 	return LZO_E_EOF_NOT_FOUND;
 | |
| 
 | |
| eof_found:
 | |
| 	*out_len = op - out;
 | |
| 	return (ip == ip_end ? LZO_E_OK :
 | |
| 		(ip < ip_end ? LZO_E_INPUT_NOT_CONSUMED : LZO_E_INPUT_OVERRUN));
 | |
| input_overrun:
 | |
| 	*out_len = op - out;
 | |
| 	return LZO_E_INPUT_OVERRUN;
 | |
| 
 | |
| output_overrun:
 | |
| 	*out_len = op - out;
 | |
| 	return LZO_E_OUTPUT_OVERRUN;
 | |
| 
 | |
| lookbehind_overrun:
 | |
| 	*out_len = op - out;
 | |
| 	return LZO_E_LOOKBEHIND_OVERRUN;
 | |
| }
 |