coreboot-kgpe-d16/payloads/libpayload/liblzma/lzma.c
Alex Rebert 183ad06f52 libpayload: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.

Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
2020-02-24 12:53:25 +00:00

66 lines
1.8 KiB
C

/*
* coreboot interface to memory-saving variant of LZMA decoder
*
* Copyright (C) 2006 Carl-Daniel Hailfinger
* Released under the BSD license
*
* Parts of this file are based on C/7zip/Compress/LZMA_C/LzmaTest.c from the LZMA
* SDK 4.42, which is written and distributed to public domain by Igor Pavlov.
*
*/
#include <lzma.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include "lzmadecode.c"
unsigned long ulzman(const unsigned char *src, unsigned long srcn,
unsigned char *dst, unsigned long dstn)
{
unsigned char properties[LZMA_PROPERTIES_SIZE];
const int data_offset = LZMA_PROPERTIES_SIZE + 8;
UInt32 outSize;
SizeT inProcessed;
SizeT outProcessed;
int res;
CLzmaDecoderState state;
SizeT mallocneeds;
unsigned char *scratchpad;
if (srcn < data_offset) {
printf("lzma: Input too small.\n");
return 0;
}
memcpy(properties, src, LZMA_PROPERTIES_SIZE);
memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize));
if (outSize > dstn)
outSize = dstn;
if (LzmaDecodeProperties(&state.Properties, properties,
LZMA_PROPERTIES_SIZE) != LZMA_RESULT_OK) {
printf("lzma: Incorrect stream properties.\n");
return 0;
}
mallocneeds = (LzmaGetNumProbs(&state.Properties) * sizeof(CProb));
scratchpad = malloc(mallocneeds);
if (!scratchpad) {
printf("lzma: Cannot allocate %u bytes for scratchpad!\n",
mallocneeds);
return 0;
}
state.Probs = (CProb *)scratchpad;
res = LzmaDecode(&state, src + data_offset, srcn - data_offset,
&inProcessed, dst, outSize, &outProcessed);
free(scratchpad);
if (res != 0) {
printf("lzma: Decoding error = %d\n", res);
return 0;
}
return outProcessed;
}
unsigned long ulzma(const unsigned char *src, unsigned char *dst)
{
return ulzman(src, (unsigned long)(-1), dst, (unsigned long)(-1));
}