libpayload: Fix possible NULL deref in cbfs_get_file_content()
Change-Id: I2e10ccac3248717d90838ca721cc691de792b507
Signed-off-by: Nico Huber <nico.huber@secunet.com>
Reviewed-on: http://review.coreboot.org/11780
Tested-by: build bot (Jenkins)
Reviewed-by: Daisuke Nojiri <dnojiri@chromium.org>
diff --git a/payloads/libpayload/libcbfs/cbfs_core.c b/payloads/libpayload/libcbfs/cbfs_core.c
index 4c898c6..369d946 100644
--- a/payloads/libpayload/libcbfs/cbfs_core.c
+++ b/payloads/libpayload/libcbfs/cbfs_core.c
@@ -207,14 +207,12 @@
return NULL;
}
- if (sz)
- *sz = ntohl(file->len);
-
void *file_content = (void *)CBFS_SUBHEADER(file);
struct cbfs_file_attribute *attr =
cbfs_file_find_attr(file, CBFS_FILE_ATTR_TAG_COMPRESSION);
+ size_t final_size = ntohl(file->len);
int compression_algo = CBFS_COMPRESS_NONE;
if (attr) {
struct cbfs_file_attr_compression *comp =
@@ -222,16 +220,19 @@
compression_algo = ntohl(comp->compression);
DEBUG("File '%s' is compressed (alg=%d)\n",
name, compression_algo);
- *sz = ntohl(comp->decompressed_size);
+ final_size = ntohl(comp->decompressed_size);
}
- void *dst = malloc(*sz);
+ void *dst = malloc(final_size);
if (dst == NULL)
goto err;
- if (!cbfs_decompress(compression_algo, file_content, dst, *sz))
+ if (!cbfs_decompress(compression_algo, file_content, dst, final_size))
goto err;
+ if (sz)
+ *sz = final_size;
+
media->unmap(media, file);
return dst;