GNUBoot
/
coreboot-kgpe-d16
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

libpayload: Fix possible NULL deref in cbfs_get_file_content() 

Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: http://review.coreboot.org/11780
Tested-by: build bot (Jenkins)
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
This commit is contained in:
Nico Huber 2015-10-02 19:38:24 +02:00 committed by Aaron Durbin
parent 8a414a0943
commit ac1f4b86f4
1 changed files with 7 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
payloads/libpayload/libcbfs/cbfs_core.c
View File

@ -207,14 +207,12 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
return NULL; return NULL;
} }
if (sz)
*sz = ntohl(file->len);
void *file_content = (void *)CBFS_SUBHEADER(file); void *file_content = (void *)CBFS_SUBHEADER(file);
struct cbfs_file_attribute *attr = struct cbfs_file_attribute *attr =
cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION); cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION);
size_t final_size = ntohl(file->len);
int compression_algo = CBFS_COMPRESS_NONE; int compression_algo = CBFS_COMPRESS_NONE;
if (attr) { if (attr) {
struct cbfs_file_attr_compression *comp = struct cbfs_file_attr_compression *comp =
@ -222,16 +220,19 @@ void *cbfs_get_file_content(struct cbfs_media *media, const char *name,
compression_algo = ntohl(comp->compression); compression_algo = ntohl(comp->compression);
DEBUG("File '%s' is compressed (alg=%d)\n", DEBUG("File '%s' is compressed (alg=%d)\n",
name, compression_algo); name, compression_algo);
*sz = ntohl(comp->decompressed_size); final_size = ntohl(comp->decompressed_size);
} }
void *dst = malloc(*sz); void *dst = malloc(final_size);
if (dst == NULL) if (dst == NULL)
goto err; goto err;
if (!cbfs_decompress(compression_algo, file_content, dst, *sz)) if (!cbfs_decompress(compression_algo, file_content, dst, final_size))
goto err; goto err;
if (sz)
*sz = final_size;
media->unmap(media, file); media->unmap(media, file);
return dst; return dst;