summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--payloads/libpayload/liblz4/lz4.c.inc1
-rw-r--r--payloads/libpayload/liblz4/lz4_wrapper.c3
-rw-r--r--src/commonlib/bsd/lz4.c.inc1
-rw-r--r--src/commonlib/bsd/lz4_wrapper.c3
-rw-r--r--util/cbfstool/lz4/lib/lz4.c1
5 files changed, 9 insertions, 0 deletions
diff --git a/payloads/libpayload/liblz4/lz4.c.inc b/payloads/libpayload/liblz4/lz4.c.inc
index baa911021d..68fac47c89 100644
--- a/payloads/libpayload/liblz4/lz4.c.inc
+++ b/payloads/libpayload/liblz4/lz4.c.inc
@@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
if ((length=(token>>ML_BITS)) == RUN_MASK)
{
unsigned s;
+ if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
do
{
s = *ip++;
diff --git a/payloads/libpayload/liblz4/lz4_wrapper.c b/payloads/libpayload/liblz4/lz4_wrapper.c
index d125ce336f..3d17fe6742 100644
--- a/payloads/libpayload/liblz4/lz4_wrapper.c
+++ b/payloads/libpayload/liblz4/lz4_wrapper.c
@@ -141,6 +141,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
}
while (1) {
+ if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
+ break; /* input overrun */
+
struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) };
in += sizeof(struct lz4_block_header);
diff --git a/src/commonlib/bsd/lz4.c.inc b/src/commonlib/bsd/lz4.c.inc
index b3be4e5b44..8c75e2f279 100644
--- a/src/commonlib/bsd/lz4.c.inc
+++ b/src/commonlib/bsd/lz4.c.inc
@@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
if ((length=(token>>ML_BITS)) == RUN_MASK)
{
unsigned s;
+ if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
do
{
s = *ip++;
diff --git a/src/commonlib/bsd/lz4_wrapper.c b/src/commonlib/bsd/lz4_wrapper.c
index 2367afceaf..3822e8c60f 100644
--- a/src/commonlib/bsd/lz4_wrapper.c
+++ b/src/commonlib/bsd/lz4_wrapper.c
@@ -129,6 +129,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
}
while (1) {
+ if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
+ break; /* input overrun */
+
struct lz4_block_header b = {
{ .raw = le32toh(*(const uint32_t *)in) }
};
diff --git a/util/cbfstool/lz4/lib/lz4.c b/util/cbfstool/lz4/lib/lz4.c
index 9c9a9a0d00..e393690203 100644
--- a/util/cbfstool/lz4/lib/lz4.c
+++ b/util/cbfstool/lz4/lib/lz4.c
@@ -1206,6 +1206,7 @@ FORCE_INLINE int LZ4_decompress_generic(
if ((length=(token>>ML_BITS)) == RUN_MASK)
{
unsigned s;
+ if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
do
{
s = *ip++;