lz4: Fix out-of-bounds reads
Fix two out-of-bounds reads in lz4 decompression: 1) LZ4_decompress_generic could read one byte past the input buffer when decoding variable length literals due to a missing bounds check. This issue was resolved in libpayload, commonlib and cbfstool 2) ulz4fn could read up to 4 bytes past the input buffer when reading a lz4_block_header due to a missing bounds check. This issue was resolved in libpayload and commonlib. Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com>
This commit is contained in:
Alex Rebert
Patrick Georgi
parent
e5e24107f9
commit
70282aece0
|
|
@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
|
||||||
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
||||||
{
|
{
|
||||||
unsigned s;
|
unsigned s;
|
||||||
|
if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
s = *ip++;
|
s = *ip++;
|
||||||
|
|
|
||||||
|
|
@ -141,6 +141,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
|
||||||
}
|
}
|
||||||
|
|
||||||
while (1) {
|
while (1) {
|
||||||
|
if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
|
||||||
|
break; /* input overrun */
|
||||||
|
|
||||||
struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) };
|
struct lz4_block_header b = { .raw = le32toh(*(uint32_t *)in) };
|
||||||
in += sizeof(struct lz4_block_header);
|
in += sizeof(struct lz4_block_header);
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
|
||||||
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
||||||
{
|
{
|
||||||
unsigned s;
|
unsigned s;
|
||||||
|
if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
s = *ip++;
|
s = *ip++;
|
||||||
|
|
|
||||||
|
|
@ -129,6 +129,9 @@ size_t ulz4fn(const void *src, size_t srcn, void *dst, size_t dstn)
|
||||||
}
|
}
|
||||||
|
|
||||||
while (1) {
|
while (1) {
|
||||||
|
if ((size_t)(in - src) + sizeof(struct lz4_block_header) > srcn)
|
||||||
|
break; /* input overrun */
|
||||||
|
|
||||||
struct lz4_block_header b = {
|
struct lz4_block_header b = {
|
||||||
{ .raw = le32toh(*(const uint32_t *)in) }
|
{ .raw = le32toh(*(const uint32_t *)in) }
|
||||||
};
|
};
|
||||||
|
|
|
||||||
|
|
@ -1206,6 +1206,7 @@ FORCE_INLINE int LZ4_decompress_generic(
|
||||||
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
if ((length=(token>>ML_BITS)) == RUN_MASK)
|
||||||
{
|
{
|
||||||
unsigned s;
|
unsigned s;
|
||||||
|
if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
|
||||||
do
|
do
|
||||||
{
|
{
|
||||||
s = *ip++;
|
s = *ip++;
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue