gzip: correctly bounds-check output buffer

The output buffer size must not be reset by the gzip decoder or there
is a risk of overflowing memory during decompression.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: Simon Glass <sjg@chromium.org>

diff --git a/lib/gunzip.c b/lib/gunzip.c
index 9959781b0004096fe542d950f0cea3f98f066fd3..35abfb38e176ff64b621fbe9d91b3542ce8150cd 100644 (file)
--- a/lib/gunzip.c
+++ b/lib/gunzip.c
@@ -89,13 +89,13 @@ int zunzip(void *dst, int dstlen, unsigned char *src, unsigned long *lenp,
        s.avail_out = dstlen;
        do {
                r = inflate(&s, Z_FINISH);
-               if (r != Z_STREAM_END && r != Z_BUF_ERROR && stoponerr == 1) {
+               if (stoponerr == 1 && r != Z_STREAM_END &&
+                   (s.avail_out == 0 || r != Z_BUF_ERROR)) {
                        printf("Error: inflate() returned %d\n", r);
                        inflateEnd(&s);
                        return -1;
                }
                s.avail_in = *lenp - offset - (int)(s.next_out - (unsigned char*)dst);
-               s.avail_out = dstlen;
        } while (r == Z_BUF_ERROR);
        *lenp = s.next_out - (unsigned char *) dst;
        inflateEnd(&s);