diff options
| author | Julius Werner <jwerner@chromium.org> | 2016-08-05 20:43:47 -0700 |
|---|---|---|
| committer | Martin Roth <martinroth@google.com> | 2016-08-08 19:02:07 +0200 |
| commit | e25d3ff9bd63cb7123461b266b42af664e81025d (patch) | |
| tree | 006320d8697c4dd8f464e826ad53f05645919949 /payloads/libpayload/liblzma | |
| parent | 5a6955517f023c3afa79da91f7100425a17f0739 (diff) | |
| download | coreboot-e25d3ff9bd63cb7123461b266b42af664e81025d.tar.xz | |
libpayload: lzma: Allocate scratchpad on the heap
Allocating a 15980-byte scratchpad on the stack when your default stack
size is set to 16KB is really not a great idea. We're regularly
overflowing into the end of our heap when using LZMA in libpayload, and
just happen not to notice it because the heap rarely gets filled up all
the way. Of course, since we always *have* a heap in libpayload, the
much saner solution is to just use it directly to allocate the
scratchpad rather than accidentally grow backwards into it anyway.
Change-Id: Ibe4f02057a32bd156a126302178fa6fcab637d2c
Signed-off-by: Julius Werner <jwerner@chromium.org>
Reviewed-on: https://review.coreboot.org/16089
Tested-by: build bot (Jenkins)
Reviewed-by: Aaron Durbin <adurbin@chromium.org>
Diffstat (limited to 'payloads/libpayload/liblzma')
| -rw-r--r-- | payloads/libpayload/liblzma/lzma.c | 10 |
1 files changed, 7 insertions, 3 deletions
diff --git a/payloads/libpayload/liblzma/lzma.c b/payloads/libpayload/liblzma/lzma.c index 767eb8683c..57a8b3a5c7 100644 --- a/payloads/libpayload/liblzma/lzma.c +++ b/payloads/libpayload/liblzma/lzma.c @@ -10,6 +10,7 @@ */ #include <lzma.h> +#include <stdlib.h> #include <stdio.h> #include <string.h> #include "lzmadecode.c" @@ -25,7 +26,7 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn, int res; CLzmaDecoderState state; SizeT mallocneeds; - unsigned char scratchpad[15980]; + unsigned char *scratchpad; memcpy(properties, src, LZMA_PROPERTIES_SIZE); memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize)); @@ -37,13 +38,16 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn, return 0; } mallocneeds = (LzmaGetNumProbs(&state.Properties) * sizeof(CProb)); - if (mallocneeds > 15980) { - printf("lzma: Decoder scratchpad too small!\n"); + scratchpad = malloc(mallocneeds); + if (!scratchpad) { + printf("lzma: Cannot allocate %u bytes for scratchpad!\n", + mallocneeds); return 0; } state.Probs = (CProb *)scratchpad; res = LzmaDecode(&state, src + data_offset, srcn - data_offset, &inProcessed, dst, outSize, &outProcessed); + free(scratchpad); if (res != 0) { printf("lzma: Decoding error = %d\n", res); return 0; |