diff options
author | Nico Huber <nico.huber@secunet.com> | 2015-10-02 19:38:24 +0200 |
---|---|---|
committer | Aaron Durbin <adurbin@chromium.org> | 2015-10-02 19:19:32 +0000 |
commit | ac1f4b86f4a82f00c07aa21707703c5c70d9c604 (patch) | |
tree | 3f20fec0c45621f25da8c3be0a8499632a1cd766 /payloads/libpayload/libcbfs | |
parent | 8a414a0943931bcedcfcbc5159d9a4b7e52a432f (diff) | |
download | coreboot-ac1f4b86f4a82f00c07aa21707703c5c70d9c604.tar.xz |
libpayload: Fix possible NULL deref in cbfs_get_file_content()
Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: http://review.coreboot.org/11780
Tested-by: build bot (Jenkins)
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
Diffstat (limited to 'payloads/libpayload/libcbfs')
-rw-r--r-- | payloads/libpayload/libcbfs/cbfs_core.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c index 4c898c62ac..369d946f81 100644 --- a/payloads/libpayload/libcbfs/cbfs_core.c +++ b/payloads/libpayload/libcbfs/cbfs_core.c @@ -207,14 +207,12 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name, return NULL; } - if (sz) - *sz = ntohl(file->len); - void *file_content = (void *)CBFS_SUBHEADER(file); struct cbfs_file_attribute *attr = cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION); + size_t final_size = ntohl(file->len); int compression_algo = CBFS_COMPRESS_NONE; if (attr) { struct cbfs_file_attr_compression *comp = @@ -222,16 +220,19 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name, compression_algo = ntohl(comp->compression); DEBUG("File '%s' is compressed (alg=%d)\n", name, compression_algo); - *sz = ntohl(comp->decompressed_size); + final_size = ntohl(comp->decompressed_size); } - void *dst = malloc(*sz); + void *dst = malloc(final_size); if (dst == NULL) goto err; - if (!cbfs_decompress(compression_algo, file_content, dst, *sz)) + if (!cbfs_decompress(compression_algo, file_content, dst, final_size)) goto err; + if (sz) + *sz = final_size; + media->unmap(media, file); return dst; |