From 70282aece0dd33f54ee797486f9d7d03aa8c2346 Mon Sep 17 00:00:00 2001
From: Alex Rebert <alexandre.rebert@gmail.com>
Date: Sat, 29 Feb 2020 17:36:08 -0500
Subject: lz4: Fix out-of-bounds reads

Fix two out-of-bounds reads in lz4 decompression:

1) LZ4_decompress_generic could read one byte past the input buffer when
decoding variable length literals due to a missing bounds check. This
issue was resolved in libpayload, commonlib and cbfstool

2) ulz4fn could read up to 4 bytes past the input buffer when reading a
lz4_block_header due to a missing bounds check. This issue was resolved
in libpayload and commonlib.

Change-Id: I5afdf7e1d43ecdb06c7b288be46813c1017569fc
Signed-off-by: Alex Rebert <alexandre.rebert@gmail.com>
Found-by: Mayhem
Reviewed-on: https://review.coreboot.org/c/coreboot/+/39174
Tested-by: build bot (Jenkins) <no-reply@coreboot.org>
Reviewed-by: Patrick Georgi <pgeorgi@google.com>
---
 src/commonlib/bsd/lz4.c.inc | 1 +
 1 file changed, 1 insertion(+)

(limited to 'src/commonlib/bsd/lz4.c.inc')

diff --git a/src/commonlib/bsd/lz4.c.inc b/src/commonlib/bsd/lz4.c.inc
index b3be4e5b44..8c75e2f279 100644
--- a/src/commonlib/bsd/lz4.c.inc
+++ b/src/commonlib/bsd/lz4.c.inc
@@ -150,6 +150,7 @@ FORCE_INLINE int LZ4_decompress_generic(
         if ((length=(token>>ML_BITS)) == RUN_MASK)
         {
             unsigned s;
+            if ((endOnInput) && unlikely(ip>=iend-RUN_MASK)) goto _output_error;   /* overflow detection */
             do
             {
                 s = *ip++;
-- 
cgit v1.2.3