lib/lzma: Fix out-of-bounds read

Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.

Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39085
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
Alex Rebert 2020-02-22 18:13:39 -05:00 committed by Patrick Georgi
parent 3f4af0da93
commit 41de2a08ec
1 changed files with 5 additions and 0 deletions

View File

@ -29,6 +29,11 @@ size_t ulzman(const void *src, size_t srcn, void *dst, size_t dstn)
MAYBE_STATIC_BSS unsigned char scratchpad[15980];
const unsigned char *cp;
if (srcn < data_offset) {
printk(BIOS_WARNING, "lzma: Input too small.\n");
return 0;
}
memcpy(properties, src, LZMA_PROPERTIES_SIZE);
/* The outSize in LZMA stream is a 64bit integer stored in little-endian
* (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by