aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--package/boot/uboot-lantiq/patches/0041-lzam-fixup.patch44
1 files changed, 44 insertions, 0 deletions
diff --git a/package/boot/uboot-lantiq/patches/0041-lzam-fixup.patch b/package/boot/uboot-lantiq/patches/0041-lzam-fixup.patch
new file mode 100644
index 0000000000..5b16758fa4
--- /dev/null
+++ b/package/boot/uboot-lantiq/patches/0041-lzam-fixup.patch
@@ -0,0 +1,44 @@
+From: Antonios Vamporakis <ant@area128.com>
+Date: Tue, 31 Dec 2013 01:05:42 +0100
+Subject: [PATCH] lzma: fix buffer bound check error
+
+Variable uncompressedSize references the space available, while outSizeFull is
+the actual expected uncompressed size. Using the wrong value causes LzmaDecode
+to return SZ_ERROR_INPUT_EOF. Problem was introduced in commit afca294. While
+at it add additional debug message.
+
+Signed-off-by: Antonios Vamporakis <ant@area128.com>
+CC: Kees Cook <keescook@chromium.org>
+CC: Simon Glass <sjg@chromium.org>
+CC: Daniel Schwierzeck <daniel.schwierzeck@gmail.com>
+CC: Luka Perkov <luka@openwrt.org>
+---
+ lib/lzma/LzmaTools.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/lib/lzma/LzmaTools.c b/lib/lzma/LzmaTools.c
+index 0aec2f9..90d31cd 100644
+--- a/lib/lzma/LzmaTools.c
++++ b/lib/lzma/LzmaTools.c
+@@ -102,7 +102,7 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
+ return SZ_ERROR_OUTPUT_EOF;
+
+ /* Decompress */
+- outProcessed = *uncompressedSize;
++ outProcessed = outSizeFull;
+
+ WATCHDOG_RESET();
+
+@@ -111,6 +111,9 @@ int lzmaBuffToBuffDecompress (unsigned char *outStream, SizeT *uncompressedSize,
+ inStream + LZMA_DATA_OFFSET, &compressedSize,
+ inStream, LZMA_PROPS_SIZE, LZMA_FINISH_END, &state, &g_Alloc);
+ *uncompressedSize = outProcessed;
++
++ debug("LZMA: Uncompresed ................ 0x%zx\n", outProcessed);
++
+ if (res != SZ_OK) {
+ return res;
+ }
+--
+1.8.3.2
+