lib/lzma: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src buffer is too small to contain the 13-byte LZMA header. Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39085 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
This commit is contained in:
parent
3f4af0da93
commit
41de2a08ec
|
@ -29,6 +29,11 @@ size_t ulzman(const void *src, size_t srcn, void *dst, size_t dstn)
|
|||
MAYBE_STATIC_BSS unsigned char scratchpad[15980];
|
||||
const unsigned char *cp;
|
||||
|
||||
if (srcn < data_offset) {
|
||||
printk(BIOS_WARNING, "lzma: Input too small.\n");
|
||||
return 0;
|
||||
}
|
||||
|
||||
memcpy(properties, src, LZMA_PROPERTIES_SIZE);
|
||||
/* The outSize in LZMA stream is a 64bit integer stored in little-endian
|
||||
* (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by
|
||||
|
|
Loading…
Reference in New Issue