From 41de2a08ec85df00ff85d87dbee2cb37185e5323 Mon Sep 17 00:00:00 2001 From: Alex Rebert Date: Sat, 22 Feb 2020 18:13:39 -0500 Subject: [PATCH] lib/lzma: Fix out-of-bounds read Fix an out-of-bounds read in the LZMA decoder which happens when the src buffer is too small to contain the 13-byte LZMA header. Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e Signed-off-by: Alex Rebert Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39085 Tested-by: build bot (Jenkins) Reviewed-by: Julius Werner --- src/lib/lzma.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/src/lib/lzma.c b/src/lib/lzma.c index 71c016ebcd..16b6e228fb 100644 --- a/src/lib/lzma.c +++ b/src/lib/lzma.c @@ -29,6 +29,11 @@ size_t ulzman(const void *src, size_t srcn, void *dst, size_t dstn) MAYBE_STATIC_BSS unsigned char scratchpad[15980]; const unsigned char *cp; + if (srcn < data_offset) { + printk(BIOS_WARNING, "lzma: Input too small.\n"); + return 0; + } + memcpy(properties, src, LZMA_PROPERTIES_SIZE); /* The outSize in LZMA stream is a 64bit integer stored in little-endian * (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by