diff options
author | Alex Rebert <alexandre.rebert@gmail.com> | 2020-02-20 22:55:45 -0500 |
---|---|---|
committer | Patrick Georgi <pgeorgi@google.com> | 2020-02-24 12:53:25 +0000 |
commit | 183ad06f522b279328acb70dfba52d31f9ff9c91 (patch) | |
tree | 7a8ad7c424b6776a302d7ac1fdef0c4c61c26670 | |
parent | a0b0d42d691f163b0a5a8268da1087c9c5f28eaa (diff) |
libpayload: Fix out-of-bounds read
Fix an out-of-bounds read in the LZMA decoder which happens when the src
buffer is too small to contain the 13-byte LZMA header.
Change-Id: Ie442f82cd1abcf7fa18295e782cccf26a7d30079
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39033
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Julius Werner <jwerner@chromium.org>
Reviewed-by: Paul Menzel <paulepanter@users.sourceforge.net>
-rw-r--r-- | payloads/libpayload/liblzma/lzma.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/payloads/libpayload/liblzma/lzma.c b/payloads/libpayload/liblzma/lzma.c index 57a8b3a5c7..1845afc883 100644 --- a/payloads/libpayload/liblzma/lzma.c +++ b/payloads/libpayload/liblzma/lzma.c @@ -28,6 +28,11 @@ unsigned long ulzman(const unsigned char *src, unsigned long srcn, SizeT mallocneeds; unsigned char *scratchpad; + if (srcn < data_offset) { + printf("lzma: Input too small.\n"); + return 0; + } + memcpy(properties, src, LZMA_PROPERTIES_SIZE); memcpy(&outSize, src + LZMA_PROPERTIES_SIZE, sizeof(outSize)); if (outSize > dstn) |