libpayload: cbfs: Require input size and output size for cbfs_decompress

Currently, cbfs_decompress() calls ulzma() and ulz4f() for LZMA/LZ4
decompression. These two functions don't accept input/output size as
parameters. We can make cbfs_decompress more robust by calling ulzman()
and ulz4fn() instead. This could prevent us from overflowing destination
buffer.

BUG=none
BRANCH=none
TEST=boot into kernel on Kukui with COMPRESSED_PAYLOAD_LZMA /
     COMPRESSED_PAYLOAD_LZ4.

Change-Id: Ibe617825bd000ed618791d8e3c5f65bbbd5f7e33
Signed-off-by: You-Cheng Syu <youcheng@google.com>
Reviewed-on: https://review.coreboot.org/c/31606
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>

1 files changed, 2 insertions, 1 deletions

diff --git a/payloads/libpayload/libcbfs/cbfs.c b/payloads/libpayload/libcbfs/cbfs.c
index 577fb2075a..d679e6708a 100644
--- a/payloads/libpayload/libcbfs/cbfs.c
+++ b/payloads/libpayload/libcbfs/cbfs.c
@@ -114,8 +114,9 @@ void * cbfs_load_stage(struct cbfs_media *media, const char *name)
 	final_size = cbfs_decompress(stage->compression,
 				     ((unsigned char *) stage) +
 				     sizeof(struct cbfs_stage),
+				     stage->len,
 				     (void *) (uintptr_t) stage->load,
-				     stage->len);
+				     stage->memlen);
 	if (!final_size) {
 		entry = -1;
 		goto out;