From 183ad06f522b279328acb70dfba52d31f9ff9c91 Mon Sep 17 00:00:00 2001
From: Alex Rebert <alexandre.rebert@gmail.com>
Date: Thu, 20 Feb 2020 22:55:45 -0500
Subject: [PATCH] libpayload: Fix out-of-bounds read

Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.

Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
---
 payloads/libpayload/liblzma/lzma.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/payloads/libpayload/liblzma/lzma.c b/payloads/libpayload/liblzma/lzma.c
index 57a8b3a5c7..1845afc883 100644
--- a/payloads/libpayload/liblzma/lzma.c
+++ b/payloads/libpayload/liblzma/lzma.c
@@ -28,6 +28,11 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn,
 	SizeT mallocneeds;
 	unsigned char *scratchpad;
 
+	if (srcn < data_offset) {
+		printf("lzma: Input too small.\n");
+		return 0;
+	}
+
 	memcpy(properties, src, LZMA_PROPERTIES_SIZE);
 	memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize));
 	if (outSize > dstn)