libpayload: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src buffer is too small to contain the 13-byte LZMA header. Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079 Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org> Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
This commit is contained in:
parent
a0b0d42d69
commit
183ad06f52
|
@ -28,6 +28,11 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn,
|
|||
SizeT mallocneeds;
|
||||
unsigned char *scratchpad;
|
||||
|
||||
if (srcn < data_offset) {
|
||||
printf("lzma: Input too small.\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(properties, src, LZMA_PROPERTIES_SIZE);
|
||||
memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize));
|
||||
if (outSize > dstn)
|
||||
|
|
Loading…
Reference in New Issue