summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlex Rebert <alexandre.rebert@gmail.com>2020-02-22 18:13:39 -0500
committerPatrick Georgi <pgeorgi@google.com>2020-02-25 10:13:51 +0000
commit41de2a08ec85df00ff85d87dbee2cb37185e5323 (patch)
tree63b6766c8419cfda5a2fed97f90c533acac4419c
parent3f4af0da938e0d9f4d80e77a3d8abd1f6400e57e (diff)
downloadcoreboot-41de2a08ec85df00ff85d87dbee2cb37185e5323.tar.xz
lib/lzma: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src buffer is too small to contain the 13-byte LZMA header. Change-Id: Id5893e60fc9a48deb83560b7917f5558cd30ef4e Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39085 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Julius Werner <jwerner@chromium.org>
-rw-r--r--src/lib/lzma.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/src/lib/lzma.c b/src/lib/lzma.c
index 71c016ebcd..16b6e228fb 100644
--- a/src/lib/lzma.c
+++ b/src/lib/lzma.c
@@ -29,6 +29,11 @@ size_t ulzman(const void *src, size_t srcn, void *dst, size_t dstn)
MAYBE_STATIC_BSS unsigned char scratchpad[15980];
const unsigned char *cp;
+ if (srcn < data_offset) {
+ printk(BIOS_WARNING, "lzma: Input too small.\n");
+ return 0;
+ }
+
memcpy(properties, src, LZMA_PROPERTIES_SIZE);
/* The outSize in LZMA stream is a 64bit integer stored in little-endian
* (ref: lzma.cc@LZMACompress: put_64). To prevent accessing by