From e3fad7c45a291089ba8500bbc46f6257d755664f Mon Sep 17 00:00:00 2001
From: Roy Oursler <roy.j.oursler@intel.com>
Date: Fri, 15 Dec 2017 08:46:44 -0700
Subject: [PATCH] igzip: Fix out buffer overflow in write_type0_header

Fix a possible 1 byte overflow by creating a combined write_bits and flush.

Change-Id: I2d2455e9e32a820522ff1d89d016db72a82baed9
Signed-off-by: Roy Oursler <roy.j.oursler@intel.com>
---
 igzip/bitbuf2.h | 29 ++++++++++++++++++-----------
 igzip/igzip.c   |  3 +--
 2 files changed, 19 insertions(+), 13 deletions(-)

diff --git a/igzip/bitbuf2.h b/igzip/bitbuf2.h
index b788924..a0a0aeb 100644
--- a/igzip/bitbuf2.h
+++ b/igzip/bitbuf2.h
@@ -95,6 +95,19 @@ static inline void flush_bits(struct BitBuf2 *me)
 
 }
 
+/* Can write up to 8 bytes to output buffer */
+static inline void flush(struct BitBuf2 *me)
+{
+	uint32_t bytes;
+	if (me->m_bit_count) {
+		_mm_stream_si64x((int64_t *) me->m_out_buf, me->m_bits);
+		bytes = (me->m_bit_count + 7) / 8;
+		me->m_out_buf += bytes;
+	}
+	me->m_bits = 0;
+	me->m_bit_count = 0;
+}
+
 static inline void check_space(struct BitBuf2 *me, uint32_t num_bits)
 {
 	/* Checks if bitbuf has num_bits extra space and flushes the bytes in
@@ -116,17 +129,11 @@ static inline void write_bits(struct BitBuf2 *me, uint64_t code, uint32_t count)
 	flush_bits(me);
 }
 
-/* Can write up to 8 bytes to output buffer */
-static inline void flush(struct BitBuf2 *me)
-{
-	uint32_t bytes;
-	if (me->m_bit_count) {
-		_mm_stream_si64x((int64_t *) me->m_out_buf, me->m_bits);
-		bytes = (me->m_bit_count + 7) / 8;
-		me->m_out_buf += bytes;
-	}
-	me->m_bits = 0;
-	me->m_bit_count = 0;
+static inline void write_bits_flush(struct BitBuf2 *me, uint64_t code, uint32_t count)
+{	/* Assumes there is space to fit code into m_bits. */
+	me->m_bits |= code << me->m_bit_count;
+	me->m_bit_count += count;
+	flush(me);
 }
 
 #endif //BITBUF2_H
diff --git a/igzip/igzip.c b/igzip/igzip.c
index 401e0b7..eb2f059 100644
--- a/igzip/igzip.c
+++ b/igzip/igzip.c
@@ -797,8 +797,7 @@ static void write_type0_header(struct isal_zstream *stream)
 		memcpy(stream->next_out, &stored_blk_hdr, memcpy_len);
 	} else if (stream->avail_out >= 8) {
 		set_buf(bitbuf, stream->next_out, stream->avail_out);
-		write_bits(bitbuf, stream->internal_state.has_eob_hdr, 3);
-		flush(bitbuf);
+		write_bits_flush(bitbuf, stream->internal_state.has_eob_hdr, 3);
 		stream->next_out = buffer_ptr(bitbuf);
 		stream->total_out += buffer_used(bitbuf);
 		stream->avail_out -= buffer_used(bitbuf);