summaryrefslogtreecommitdiff
path: root/util/cbfstool
diff options
context:
space:
mode:
authorAlex Rebert <alexandre.rebert@gmail.com>2020-02-29 17:36:08 -0500
committerPatrick Georgi <pgeorgi@google.com>2020-03-02 15:03:03 +0000
commit70282aece0dd33f54ee797486f9d7d03aa8c2346 (patch)
tree8c6dbbc5462ff98f1bfca104396efe642cbbbbf7 /util/cbfstool
parente5e24107f91a959e24546d0cdad84eecee329f8e (diff)
lz4: Fix out-of-bounds reads
Fix two out-of-bounds reads in lz4 decompression: 1) LZ4_decompress_generic could read one byte past the input buffer when decoding variable length literals due to a missing bounds check. This issue was resolved in libpayload, commonlib and cbfstool 2) ulz4fn could read up to 4 bytes past the input buffer when reading a lz4_block_header due to a missing bounds check. This issue was resolved in libpayload and commonlib. Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com> Found-by: Mayhem Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174 Tested-by: build bot (Jenkins) <no-reply@coreboot.org> Reviewed-by: Patrick Georgi <pgeorgi@google.com>
Diffstat (limited to 'util/cbfstool')
-rw-r--r--util/cbfstool/lz4/lib/lz4.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/util/cbfstool/lz4/lib/lz4.c b/util/cbfstool/lz4/lib/lz4.c
index 9c9a9a0d00..e393690203 100644
--- a/util/cbfstool/lz4/lib/lz4.c
+++ b/util/cbfstool/lz4/lib/lz4.c
@@ -1206,6 +1206,7 @@ FORCE_INLINE int LZ4_decompress_generic(
if ((length=(token>>ML_BITS)) == RUN_MASK)
{
unsigned s;
+ if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error; /* overflow detection */
do
{
s = *ip++;