1 files changed, 104 insertions, 23 deletions
diff --git a/lib/decompress_unlzo.c b/lib/decompress_unlzo.c
index db521f45626e..5a7a2adf4c4c 100644
--- a/lib/decompress_unlzo.c
+++ b/lib/decompress_unlzo.c
@@ -33,7 +33,6 @@
 #ifdef STATIC
 #include "lzo/lzo1x_decompress.c"
 #else
-#include <linux/slab.h>
 #include <linux/decompress/unlzo.h>
 #endif
@@ -49,14 +48,25 @@ static const unsigned char lzop_magic[] = {
 #define LZO_BLOCK_SIZE        (256*1024l)
 #define HEADER_HAS_FILTER      0x00000800L
+#define HEADER_SIZE_MIN       (9 + 7     + 4 + 8     + 1       + 4)
+#define HEADER_SIZE_MAX       (9 + 7 + 1 + 8 + 8 + 4 + 1 + 255 + 4)
-STATIC inline int INIT parse_header(u8 *input, u8 *skip)
+STATIC inline int INIT parse_header(u8 *input, int *skip, int in_len)
 {
        int l;
        u8 *parse = input;
+        u8 *end = input + in_len;
        u8 level = 0;
        u16 version;
+        /*
+         * Check that there's enough input to possibly have a valid header.
+         * Then it is possible to parse several fields until the minimum
+         * size may have been used.
+         */
+        if (in_len < HEADER_SIZE_MIN)
+                return 0;
        /* read magic: 9 first bits */
        for (l = 0; l < 9; l++) {
                if (*parse++ != lzop_magic[l])
@@ -74,6 +84,15 @@ STATIC inline int INIT parse_header(u8 *input, u8 *skip)
        else
                parse += 4; /* flags */
+        /*
+         * At least mode, mtime_low, filename length, and checksum must
+         * be left to be parsed. If also mtime_high is present, it's OK
+         * because the next input buffer check is after reading the
+         * filename length.
+         */
+        if (end - parse < 8 + 1 + 4)
+                return 0;
        /* skip mode and mtime_low */
        parse += 8;
        if (version >= 0x0940)
@@ -81,6 +100,8 @@ STATIC inline int INIT parse_header(u8 *input, u8 *skip)
        l = *parse++;
        /* don't care about the file name, and skip checksum */
+        if (end - parse < l + 4)
+                return 0;
        parse += l + 4;
        *skip = parse - input;
@@ -91,15 +112,14 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
                                int (*fill) (void *, unsigned int),
                                int (*flush) (void *, unsigned int),
                                u8 *output, int *posp,
-                                void (*error_fn) (char *x))
+                                void (*error) (char *x))
 {
-        u8 skip = 0, r = 0;
+        u8 r = 0;
+        int skip = 0;
        u32 src_len, dst_len;
        size_t tmp;
        u8 *in_buf, *in_buf_save, *out_buf;
-        int obytes_processed = 0;
+        int ret = -1;
-        set_error_fn(error_fn);
        if (output) {
                out_buf = output;
@@ -119,8 +139,8 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
                goto exit_1;
        } else if (input) {
                in_buf = input;
-        } else if (!fill || !posp) {
+        } else if (!fill) {
-                error("NULL input pointer and missing position pointer or fill function");
+                error("NULL input pointer and missing fill function");
                goto exit_1;
        } else {
                in_buf = malloc(lzo1x_worst_compress(LZO_BLOCK_SIZE));
@@ -134,22 +154,47 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
        if (posp)
                *posp = 0;
-        if (fill)
+        if (fill) {
-                fill(in_buf, lzo1x_worst_compress(LZO_BLOCK_SIZE));
+                /*
+                 * Start from in_buf + HEADER_SIZE_MAX to make it possible
+                 * to use memcpy() to copy the unused data to the beginning
+                 * of the buffer. This way memmove() isn't needed which
+                 * is missing from pre-boot environments of most archs.
+                 */
+                in_buf += HEADER_SIZE_MAX;
+                in_len = fill(in_buf, HEADER_SIZE_MAX);
+        }
-        if (!parse_header(input, &skip)) {
+        if (!parse_header(in_buf, &skip, in_len)) {
                error("invalid header");
                goto exit_2;
        }
        in_buf += skip;
+        in_len -= skip;
+        if (fill) {
+                /* Move the unused data to the beginning of the buffer. */
+                memcpy(in_buf_save, in_buf, in_len);
+                in_buf = in_buf_save;
+        }
        if (posp)
                *posp = skip;
        for (;;) {
                /* read uncompressed block size */
+                if (fill && in_len < 4) {
+                        skip = fill(in_buf + in_len, 4 - in_len);
+                        if (skip > 0)
+                                in_len += skip;
+                }
+                if (in_len < 4) {
+                        error("file corrupted");
+                        goto exit_2;
+                }
                dst_len = get_unaligned_be32(in_buf);
                in_buf += 4;
+                in_len -= 4;
                /* exit if last block */
                if (dst_len == 0) {
@@ -164,8 +209,18 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
                }
                /* read compressed block size, and skip block checksum info */
+                if (fill && in_len < 8) {
+                        skip = fill(in_buf + in_len, 8 - in_len);
+                        if (skip > 0)
+                                in_len += skip;
+                }
+                if (in_len < 8) {
+                        error("file corrupted");
+                        goto exit_2;
+                }
                src_len = get_unaligned_be32(in_buf);
                in_buf += 8;
+                in_len -= 8;
                if (src_len <= 0 || src_len > dst_len) {
                        error("file corrupted");
@@ -173,29 +228,55 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
                }
                /* decompress */
+                if (fill && in_len < src_len) {
+                        skip = fill(in_buf + in_len, src_len - in_len);
+                        if (skip > 0)
+                                in_len += skip;
+                }
+                if (in_len < src_len) {
+                        error("file corrupted");
+                        goto exit_2;
+                }
                tmp = dst_len;
-                r = lzo1x_decompress_safe((u8 *) in_buf, src_len,
+                /* When the input data is not compressed at all,
+                 * lzo1x_decompress_safe will fail, so call memcpy()
+                 * instead */
+                if (unlikely(dst_len == src_len))
+                        memcpy(out_buf, in_buf, src_len);
+                else {
+                        r = lzo1x_decompress_safe((u8 *) in_buf, src_len,
                                                out_buf, &tmp);
-                if (r != LZO_E_OK || dst_len != tmp) {
+                        if (r != LZO_E_OK || dst_len != tmp) {
-                        error("Compressed data violation");
+                                error("Compressed data violation");
-                        goto exit_2;
+                                goto exit_2;
+                        }
                }
-                obytes_processed += dst_len;
+                if (flush && flush(out_buf, dst_len) != dst_len)
-                if (flush)
+                        goto exit_2;
-                        flush(out_buf, dst_len);
                if (output)
                        out_buf += dst_len;
                if (posp)
                        *posp += src_len + 12;
+                in_buf += src_len;
+                in_len -= src_len;
                if (fill) {
+                        /*
+                         * If there happens to still be unused data left in
+                         * in_buf, move it to the beginning of the buffer.
+                         * Use a loop to avoid memmove() dependency.
+                         */
+                        if (in_len > 0)
+                                for (skip = 0; skip < in_len; ++skip)
+                                        in_buf_save[skip] = in_buf[skip];
                        in_buf = in_buf_save;
-                        fill(in_buf, lzo1x_worst_compress(LZO_BLOCK_SIZE));
+                }
-                } else
-                        in_buf += src_len;
        }
+        ret = 0;
 exit_2:
        if (!input)
                free(in_buf);
@@ -203,7 +284,7 @@ exit_1:
        if (!output)
                free(out_buf);
 exit:
-        return obytes_processed;
+        return ret;
 }
 #define decompress unlzo

diff --git a/lib/decompress_unlzo.c b/lib/decompress_unlzo.c index db521f45626e..5a7a2adf4c4c 100644 --- a/lib/decompress_unlzo.c +++ b/lib/decompress_unlzo.c
@@ -33,7 +33,6 @@
33	#ifdef STATIC	33	#ifdef STATIC
34	#include "lzo/lzo1x_decompress.c"	34	#include "lzo/lzo1x_decompress.c"
35	#else	35	#else
36	#include <linux/slab.h>
37	#include <linux/decompress/unlzo.h>	36	#include <linux/decompress/unlzo.h>
38	#endif	37	#endif
39		38
@@ -49,14 +48,25 @@ static const unsigned char lzop_magic[] = {
49		48
50	#define LZO_BLOCK_SIZE (256*1024l)	49	#define LZO_BLOCK_SIZE (256*1024l)
51	#define HEADER_HAS_FILTER 0x00000800L	50	#define HEADER_HAS_FILTER 0x00000800L
		51	#define HEADER_SIZE_MIN (9 + 7 + 4 + 8 + 1 + 4)
		52	#define HEADER_SIZE_MAX (9 + 7 + 1 + 8 + 8 + 4 + 1 + 255 + 4)
52		53
53	STATIC inline int INIT parse_header(u8 input, u8 skip)	54	STATIC inline int INIT parse_header(u8 input, int skip, int in_len)
54	{	55	{
55	int l;	56	int l;
56	u8 *parse = input;	57	u8 *parse = input;
		58	u8 *end = input + in_len;
57	u8 level = 0;	59	u8 level = 0;
58	u16 version;	60	u16 version;
59		61
		62	/*
		63	* Check that there's enough input to possibly have a valid header.
		64	* Then it is possible to parse several fields until the minimum
		65	* size may have been used.
		66	*/
		67	if (in_len < HEADER_SIZE_MIN)
		68	return 0;
		69
60	/* read magic: 9 first bits */	70	/* read magic: 9 first bits */
61	for (l = 0; l < 9; l++) {	71	for (l = 0; l < 9; l++) {
62	if (*parse++ != lzop_magic[l])	72	if (*parse++ != lzop_magic[l])
@@ -74,6 +84,15 @@ STATIC inline int INIT parse_header(u8 input, u8 skip)
74	else	84	else
75	parse += 4; /* flags */	85	parse += 4; /* flags */
76		86
		87	/*
		88	* At least mode, mtime_low, filename length, and checksum must
		89	* be left to be parsed. If also mtime_high is present, it's OK
		90	* because the next input buffer check is after reading the
		91	* filename length.
		92	*/
		93	if (end - parse < 8 + 1 + 4)
		94	return 0;
		95
77	/* skip mode and mtime_low */	96	/* skip mode and mtime_low */
78	parse += 8;	97	parse += 8;
79	if (version >= 0x0940)	98	if (version >= 0x0940)
@@ -81,6 +100,8 @@ STATIC inline int INIT parse_header(u8 input, u8 skip)
81		100
82	l = *parse++;	101	l = *parse++;
83	/* don't care about the file name, and skip checksum */	102	/* don't care about the file name, and skip checksum */
		103	if (end - parse < l + 4)
		104	return 0;
84	parse += l + 4;	105	parse += l + 4;
85		106
86	*skip = parse - input;	107	*skip = parse - input;
@@ -91,15 +112,14 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
91	int (fill) (void , unsigned int),	112	int (fill) (void , unsigned int),
92	int (flush) (void , unsigned int),	113	int (flush) (void , unsigned int),
93	u8 output, int posp,	114	u8 output, int posp,
94	void (error_fn) (char x))	115	void (error) (char x))
95	{	116	{
96	u8 skip = 0, r = 0;	117	u8 r = 0;
		118	int skip = 0;
97	u32 src_len, dst_len;	119	u32 src_len, dst_len;
98	size_t tmp;	120	size_t tmp;
99	u8 in_buf, in_buf_save, *out_buf;	121	u8 in_buf, in_buf_save, *out_buf;
100	int obytes_processed = 0;	122	int ret = -1;
101
102	set_error_fn(error_fn);
103		123
104	if (output) {	124	if (output) {
105	out_buf = output;	125	out_buf = output;
@@ -119,8 +139,8 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
119	goto exit_1;	139	goto exit_1;
120	} else if (input) {	140	} else if (input) {
121	in_buf = input;	141	in_buf = input;
122	} else if (!fill \|\| !posp) {	142	} else if (!fill) {
123	error("NULL input pointer and missing position pointer or fill function");	143	error("NULL input pointer and missing fill function");
124	goto exit_1;	144	goto exit_1;
125	} else {	145	} else {
126	in_buf = malloc(lzo1x_worst_compress(LZO_BLOCK_SIZE));	146	in_buf = malloc(lzo1x_worst_compress(LZO_BLOCK_SIZE));
@@ -134,22 +154,47 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
134	if (posp)	154	if (posp)
135	*posp = 0;	155	*posp = 0;
136		156
137	if (fill)	157	if (fill) {
138	fill(in_buf, lzo1x_worst_compress(LZO_BLOCK_SIZE));	158	/*
		159	* Start from in_buf + HEADER_SIZE_MAX to make it possible
		160	* to use memcpy() to copy the unused data to the beginning
		161	* of the buffer. This way memmove() isn't needed which
		162	* is missing from pre-boot environments of most archs.
		163	*/
		164	in_buf += HEADER_SIZE_MAX;
		165	in_len = fill(in_buf, HEADER_SIZE_MAX);
		166	}
139		167
140	if (!parse_header(input, &skip)) {	168	if (!parse_header(in_buf, &skip, in_len)) {
141	error("invalid header");	169	error("invalid header");
142	goto exit_2;	170	goto exit_2;
143	}	171	}
144	in_buf += skip;	172	in_buf += skip;
		173	in_len -= skip;
		174
		175	if (fill) {
		176	/* Move the unused data to the beginning of the buffer. */
		177	memcpy(in_buf_save, in_buf, in_len);
		178	in_buf = in_buf_save;
		179	}
145		180
146	if (posp)	181	if (posp)
147	*posp = skip;	182	*posp = skip;
148		183
149	for (;;) {	184	for (;;) {
150	/* read uncompressed block size */	185	/* read uncompressed block size */
		186	if (fill && in_len < 4) {
		187	skip = fill(in_buf + in_len, 4 - in_len);
		188	if (skip > 0)
		189	in_len += skip;
		190	}
		191	if (in_len < 4) {
		192	error("file corrupted");
		193	goto exit_2;
		194	}
151	dst_len = get_unaligned_be32(in_buf);	195	dst_len = get_unaligned_be32(in_buf);
152	in_buf += 4;	196	in_buf += 4;
		197	in_len -= 4;
153		198
154	/* exit if last block */	199	/* exit if last block */
155	if (dst_len == 0) {	200	if (dst_len == 0) {
@@ -164,8 +209,18 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
164	}	209	}
165		210
166	/* read compressed block size, and skip block checksum info */	211	/* read compressed block size, and skip block checksum info */
		212	if (fill && in_len < 8) {
		213	skip = fill(in_buf + in_len, 8 - in_len);
		214	if (skip > 0)
		215	in_len += skip;
		216	}
		217	if (in_len < 8) {
		218	error("file corrupted");
		219	goto exit_2;
		220	}
167	src_len = get_unaligned_be32(in_buf);	221	src_len = get_unaligned_be32(in_buf);
168	in_buf += 8;	222	in_buf += 8;
		223	in_len -= 8;
169		224
170	if (src_len <= 0 \|\| src_len > dst_len) {	225	if (src_len <= 0 \|\| src_len > dst_len) {
171	error("file corrupted");	226	error("file corrupted");
@@ -173,29 +228,55 @@ STATIC inline int INIT unlzo(u8 *input, int in_len,
173	}	228	}
174		229
175	/* decompress */	230	/* decompress */
		231	if (fill && in_len < src_len) {
		232	skip = fill(in_buf + in_len, src_len - in_len);
		233	if (skip > 0)
		234	in_len += skip;
		235	}
		236	if (in_len < src_len) {
		237	error("file corrupted");
		238	goto exit_2;
		239	}
176	tmp = dst_len;	240	tmp = dst_len;
177	r = lzo1x_decompress_safe((u8 *) in_buf, src_len,	241
		242	/* When the input data is not compressed at all,
		243	* lzo1x_decompress_safe will fail, so call memcpy()
		244	* instead */
		245	if (unlikely(dst_len == src_len))
		246	memcpy(out_buf, in_buf, src_len);
		247	else {
		248	r = lzo1x_decompress_safe((u8 *) in_buf, src_len,
178	out_buf, &tmp);	249	out_buf, &tmp);
179		250
180	if (r != LZO_E_OK \|\| dst_len != tmp) {	251	if (r != LZO_E_OK \|\| dst_len != tmp) {
181	error("Compressed data violation");	252	error("Compressed data violation");
182	goto exit_2;	253	goto exit_2;
		254	}
183	}	255	}
184		256
185	obytes_processed += dst_len;	257	if (flush && flush(out_buf, dst_len) != dst_len)
186	if (flush)	258	goto exit_2;
187	flush(out_buf, dst_len);
188	if (output)	259	if (output)
189	out_buf += dst_len;	260	out_buf += dst_len;
190	if (posp)	261	if (posp)
191	*posp += src_len + 12;	262	*posp += src_len + 12;
		263
		264	in_buf += src_len;
		265	in_len -= src_len;
192	if (fill) {	266	if (fill) {
		267	/*
		268	* If there happens to still be unused data left in
		269	* in_buf, move it to the beginning of the buffer.
		270	* Use a loop to avoid memmove() dependency.
		271	*/
		272	if (in_len > 0)
		273	for (skip = 0; skip < in_len; ++skip)
		274	in_buf_save[skip] = in_buf[skip];
193	in_buf = in_buf_save;	275	in_buf = in_buf_save;
194	fill(in_buf, lzo1x_worst_compress(LZO_BLOCK_SIZE));	276	}
195	} else
196	in_buf += src_len;
197	}	277	}
198		278
		279	ret = 0;
199	exit_2:	280	exit_2:
200	if (!input)	281	if (!input)
201	free(in_buf);	282	free(in_buf);
@@ -203,7 +284,7 @@ exit_1:
203	if (!output)	284	if (!output)
204	free(out_buf);	285	free(out_buf);
205	exit:	286	exit:
206	return obytes_processed;	287	return ret;
207	}	288	}
208		289
209	#define decompress unlzo	290	#define decompress unlzo