libpayload: Fix out-of-bounds read

Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.

Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
This commit is contained in:
Alex Rebert 2020-02-20 22:55:45 -05:00 committed by Patrick Georgi
parent a0b0d42d69
commit 183ad06f52
1 changed files with 5 additions and 0 deletions

View File

@ -28,6 +28,11 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn,
SizeT mallocneeds; SizeT mallocneeds;
unsigned char *scratchpad; unsigned char *scratchpad;
if (srcn < data_offset) {
printf("lzma: Input too small.\n");
return 0;
}
memcpy(properties, src, LZMA_PROPERTIES_SIZE); memcpy(properties, src, LZMA_PROPERTIES_SIZE);
memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize)); memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize));
if (outSize > dstn) if (outSize > dstn)