Merge "libelf: check decompressed ZSTD size" into main am: d6bbe48d7e Original change: https://android-review.googlesource.com/c/platform/external/elfutils/+/2846081 Change-Id: Ie29e69721131d0665fc500f4cfbd4b8e1b2668d3 Signed-off-by: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>

commit: 6ef7065edac2d1f8f5f64900c3a0caf65cedea79 [log] [tgz]
author: Matthias Männich <maennich@google.com> Mon Nov 27 11:32:38 2023 +0000
committer: Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com> Mon Nov 27 11:32:38 2023 +0000
tree: 9e0f058a7450c9e97fc745899e6ee4fcd714dc63
parent: 5d440fe8700f62d4ceaf62efc788a0b0c92867e8 [diff]
parent: d6bbe48d7ec724c092979583fb9ae0879ac5b3aa [diff]
diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
index f13b41b..e3ecab3 100644
--- a/libelf/elf_compress.c
+++ b/libelf/elf_compress.c

@@ -421,7 +421,7 @@
     }
 
   size_t ret = ZSTD_decompress (buf_out, size_out, buf_in, size_in);
-  if (ZSTD_isError (ret))
+  if (unlikely (ZSTD_isError (ret)) || unlikely (ret != size_out))
     {
       free (buf_out);
       __libelf_seterrno (ELF_E_DECOMPRESS_ERROR);

diff --git a/patches/libelf-check-decompressed-ZSTD-size.patch b/patches/libelf-check-decompressed-ZSTD-size.patch
new file mode 100644
index 0000000..6c76fac
--- /dev/null
+++ b/patches/libelf-check-decompressed-ZSTD-size.patch

@@ -0,0 +1,33 @@
+From 03c171947cc538b04957ac2222ce86e7c0170bd1 Mon Sep 17 00:00:00 2001
+From: Aleksei Vetrov <vvvvvv@google.com>
+Date: Thu, 23 Nov 2023 15:31:47 +0000
+Subject: [PATCH] libelf: check decompressed ZSTD size
+
+Decompression functions like __libelf_decompress_zlib check that
+decompressed data has the same size as it was declared in the header
+(size_out argument). The same check is now added to
+__libelf_decompress_zstd to make sure that the whole allocated buffer is
+initialized.
+
+    * libelf/elf_compress.c (__libelf_decompress_zstd): Use return value
+      of ZSTD_decompress to check that decompressed data size is the
+      same as size_out of the buffer that was allocated.
+
+Signed-off-by: Aleksei Vetrov <vvvvvv@google.com>
+
+diff --git a/libelf/elf_compress.c b/libelf/elf_compress.c
+index c7283c6a..0ad6a32a 100644
+--- a/libelf/elf_compress.c
++++ b/libelf/elf_compress.c
+@@ -422,7 +422,7 @@ __libelf_decompress_zstd (void *buf_in, size_t size_in, size_t size_out)
+     }
+ 
+   size_t ret = ZSTD_decompress (buf_out, size_out, buf_in, size_in);
+-  if (ZSTD_isError (ret))
++  if (unlikely (ZSTD_isError (ret)) || unlikely (ret != size_out))
+     {
+       free (buf_out);
+       __libelf_seterrno (ELF_E_DECOMPRESS_ERROR);
+-- 
+2.43.0.rc1.413.gea7ed67945-goog
+
commit	6ef7065edac2d1f8f5f64900c3a0caf65cedea79	[log] [tgz]
author	Matthias Männich <maennich@google.com>	Mon Nov 27 11:32:38 2023 +0000
committer	Automerger Merge Worker <android-build-automerger-merge-worker@system.gserviceaccount.com>	Mon Nov 27 11:32:38 2023 +0000
tree	9e0f058a7450c9e97fc745899e6ee4fcd714dc63
parent	5d440fe8700f62d4ceaf62efc788a0b0c92867e8 [diff]
parent	d6bbe48d7ec724c092979583fb9ae0879ac5b3aa [diff]