diff --git a/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
new file mode 100644
index 0000000..680d262
--- /dev/null
+++ b/SOURCES/edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
@@ -0,0 +1,101 @@
+From dea2c718df8b58f5147c7674797bf65df649c53e Mon Sep 17 00:00:00 2001
+From: Laszlo Ersek <lersek@redhat.com>
+Date: Thu, 19 Nov 2020 12:50:34 +0100
+Subject: [PATCH] MdeModulePkg/LzmaCustomDecompressLib: catch 4GB+ uncompressed
+ buffer sizes
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+RH-Author: Laszlo Ersek (lersek)
+RH-MergeRequest: 1: prevent integer overflow / heap corruption in LZMA decompression [rhel-8.4.0.z]
+RH-Commit: [1/1] a8ec492d7ebb6ae3c51513f501f72d5418b71f17
+RH-Bugzilla: 1952953
+RH-Acked-by: Miroslav Rezanina <mrezanin@redhat.com>
+RH-Acked-by: Philippe Mathieu-Daudé <philmd@redhat.com>
+
+The LzmaUefiDecompressGetInfo() function
+[MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c] currently
+silently truncates the UINT64 "DecodedSize" property of the compressed
+blob to the UINT32 "DestinationSize" output parameter.
+
+If "DecodedSize" is 0x1_0000_0100, for example, then the subsequent memory
+allocation (for decompression) will likely succeed (allocating 0x100 bytes
+only), but then the LzmaUefiDecompress() function (which re-fetches the
+uncompressed buffer size from the same LZMA header into a "SizeT"
+variable) will overwrite the buffer.
+
+Catch (DecodedSize > MAX_UINT32) in LzmaUefiDecompressGetInfo() at once.
+This should not be a practical limitation. (The issue cannot be fixed for
+32-bit systems without spec modifications anyway, given that the
+"OutputSize" output parameter of
+EFI_GUIDED_SECTION_EXTRACTION_PROTOCOL.ExtractSection() has type UINTN,
+not UINT64.)
+
+Cc: Dandan Bi <dandan.bi@intel.com>
+Cc: Hao A Wu <hao.a.wu@intel.com>
+Cc: Jian J Wang <jian.j.wang@intel.com>
+Cc: Liming Gao <gaoliming@byosoft.com.cn>
+Cc: Philippe Mathieu-Daud <philmd@redhat.com>
+Ref: https://bugzilla.tianocore.org/show_bug.cgi?id=1816
+Signed-off-by: Laszlo Ersek <lersek@redhat.com>
+Reviewed-by: Liming Gao <gaoliming@byosoft.com.cn>
+Reviewed-by: Philippe Mathieu-Daud <philmd@redhat.com>
+Message-Id: <20201119115034.12897-2-lersek@redhat.com>
+(cherry picked from commit e7bd0dd26db7e56aa8ca70132d6ea916ee6f3db0)
+---
+ .../Library/LzmaCustomDecompressLib/LzmaDecompress.c | 7 +++++++
+ .../LzmaCustomDecompressLib/LzmaDecompressLibInternal.h | 5 +++++
+ 2 files changed, 12 insertions(+)
+
+diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+index c58912eb6a..8f7c242dca 100644
+--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompress.c
+@@ -127,6 +127,10 @@ GetDecodedSizeOfBuf(
+ in DestinationSize and the size of the scratch
+ buffer was returned in ScratchSize.
+
++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
++ uncompressed buffer size (in bytes) does not fit
++ in a UINT32. Output parameters have not been
++ modified.
+ **/
+ RETURN_STATUS
+ EFIAPI
+@@ -142,6 +146,9 @@ LzmaUefiDecompressGetInfo (
+ ASSERT(SourceSize >= LZMA_HEADER_SIZE);
+
+ DecodedSize = GetDecodedSizeOfBuf((UINT8*)Source);
++ if (DecodedSize > MAX_UINT32) {
++ return RETURN_UNSUPPORTED;
++ }
+
+ *DestinationSize = (UINT32)DecodedSize;
+ *ScratchSize = SCRATCH_BUFFER_REQUEST_SIZE;
+diff --git a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+index 26f110ba2a..fbafd5f100 100644
+--- a/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
++++ b/MdeModulePkg/Library/LzmaCustomDecompressLib/LzmaDecompressLibInternal.h
+@@ -9,6 +9,7 @@
+ #ifndef __LZMADECOMPRESSLIB_INTERNAL_H__
+ #define __LZMADECOMPRESSLIB_INTERNAL_H__
+
++#include <Base.h>
+ #include <PiPei.h>
+ #include <Library/BaseLib.h>
+ #include <Library/BaseMemoryLib.h>
+@@ -45,6 +46,10 @@
+ in DestinationSize and the size of the scratch
+ buffer was returned in ScratchSize.
+
++ @retval RETURN_UNSUPPORTED DestinationSize cannot be output because the
++ uncompressed buffer size (in bytes) does not fit
++ in a UINT32. Output parameters have not been
++ modified.
+ **/
+ RETURN_STATUS
+ EFIAPI
+--
+2.27.0
+
diff --git a/SPECS/edk2.spec b/SPECS/edk2.spec
index 3231b35..ea2bc9a 100644
--- a/SPECS/edk2.spec
+++ b/SPECS/edk2.spec
@@ -7,7 +7,7 @@ ExclusiveArch: x86_64 aarch64
Name: edk2
Version: %{GITDATE}git%{GITCOMMIT}
-Release: 4%{?dist}
+Release: 4%{?dist}.1
Summary: UEFI firmware for 64-bit virtual machines
Group: Applications/Emulators
License: BSD-2-Clause-Patent and OpenSSL and MIT
@@ -66,6 +66,8 @@ Patch33: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch
Patch34: edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-afte.patch
# For bz#1893806 - attempt advancing RHEL8 edk2's OpenSSL submodule to RHEL8 OpenSSL 1.1.1g (or later)
Patch35: edk2-CryptoPkg-OpensslLib-Upgrade-OpenSSL-to-1.1.1g.patch
+# For bz#1952953 - edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z]
+Patch36: edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch
# python3-devel and libuuid-devel are required for building tools.
@@ -515,6 +517,11 @@ true
%endif
%changelog
+* Thu May 13 2021 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8_4.1
+- edk2-MdeModulePkg-LzmaCustomDecompressLib-catch-4GB-uncom.patch [bz#1952953]
+- Resolves: bz#1952953
+ (edk2: possible heap corruption with LzmaUefiDecompressGetInfo [rhel-8] [rhel-8.4.0.z])
+
* Mon Nov 23 2020 Miroslav Rezanina <mrezanin@redhat.com> - 20200602gitca407c7246bf-4.el8
- edk2-OvmfPkg-SmmControl2Dxe-negotiate-ICH9_LPC_SMI_F_CPU_.patch [bz#1849177]
- edk2-OvmfPkg-CpuHotplugSmm-fix-CPU-hotplug-race-just-befo.patch [bz#1849177]