Patrick Georgi has submitted this change. ( https://review.coreboot.org/c/coreboot/+/39033 )
Change subject: libpayload: Fix out-of-bounds read ......................................................................
libpayload: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src buffer is too small to contain the 13-byte LZMA header.
Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079 Signed-off-by: Alex Rebert alexandre.rebert@gmail.com Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033 Tested-by: build bot (Jenkins) no-reply@coreboot.org Reviewed-by: Julius Werner jwerner@chromium.org Reviewed-by: Paul Menzel paulepanter@users.sourceforge.net --- M payloads/libpayload/liblzma/lzma.c 1 file changed, 5 insertions(+), 0 deletions(-)
Approvals: build bot (Jenkins): Verified Paul Menzel: Looks good to me, but someone else must approve Julius Werner: Looks good to me, approved
diff --git a/payloads/libpayload/liblzma/lzma.c b/payloads/libpayload/liblzma/lzma.c index 57a8b3a..1845afc 100644 --- a/payloads/libpayload/liblzma/lzma.c +++ b/payloads/libpayload/liblzma/lzma.c @@ -28,6 +28,11 @@ SizeT mallocneeds; unsigned char *scratchpad;
+ if (srcn < data_offset) { + printf("lzma: Input too small.\n"); + return 0; + } + memcpy(properties, src, LZMA_PROPERTIES_SIZE); memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize)); if (outSize > dstn)