Change in coreboot[master]: lib/lzma: Fix out-of-bounds read - coreboot-gerrit

23 Feb 2020

Alexandre Rebert has uploaded this change for review. ( https://review.coreboot.org/c/coreboot/+/39085 )
Change subject: lib/lzma: Fix out-of-bounds read
......................................................................
lib/lzma: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.
Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e
Signed-off-by: Alex Rebert alexandre.rebert@gmail.com
Found-by: Mayhem
---
M src/lib/lzma.c
1 file changed, 5 insertions(+), 0 deletions(-)
git pull ssh://review.coreboot.org:29418/coreboot refs/changes/85/39085/1

diff --git a/src/lib/lzma.c b/src/lib/lzma.c
index 71c016e..16b6e22 100644
--- a/src/lib/lzma.c
+++ b/src/lib/lzma.c
@@ -29,6 +29,11 @@
    MAYBE_STATIC_BSS unsigned char scratchpad[15980];
    const unsigned char *cp;
+	if (srcn < data_offset) {
+		printk(BIOS_WARNING, "lzma: Input too small.\n");
+		return 0;
+	}
+
    memcpy(properties, src, LZMA_PROPERTIES_SIZE);
    /* The outSize in LZMA stream is a 64bit integer stored in little-endian
     * (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by
-- 
To view, visit https://review.coreboot.org/c/coreboot/+/39085
To unsubscribe, or for help writing mail filters, visit https://review.coreboot.org/settings

Gerrit-Project: coreboot
Gerrit-Branch: master
Gerrit-Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e
Gerrit-Change-Number: 39085
Gerrit-PatchSet: 1
Gerrit-Owner: Alexandre Rebert alexandre.rebert@gmail.com
Gerrit-MessageType: newchange



    