Blame SOURCES/0290-lzma-Make-sure-we-don-t-dereference-past-array.patch

c294fc
From 656e3376d52c7244edac9264454c0fadac835749 Mon Sep 17 00:00:00 2001
c294fc
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
c294fc
Date: Thu, 9 Jul 2020 03:05:23 +0000
c294fc
Subject: [PATCH 290/314] lzma: Make sure we don't dereference past array
c294fc
c294fc
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
c294fc
using the GetLenToPosState() macro which checks if len is less than 5,
c294fc
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
c294fc
Obviously we don't want to dereference that far out so we check if the
c294fc
position found is greater or equal kNumLenToPosStates (4) and bail out.
c294fc
c294fc
N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
c294fc
without any history.
c294fc
c294fc
Fixes: CID 51526
c294fc
c294fc
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
c294fc
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
c294fc
Upstream-commit-id: f91e043bda4
c294fc
---
c294fc
 grub-core/lib/LzmaEnc.c | 10 ++++++++--
c294fc
 1 file changed, 8 insertions(+), 2 deletions(-)
c294fc
c294fc
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
c294fc
index f2ec04a8c28..753e56a95e3 100644
c294fc
--- a/grub-core/lib/LzmaEnc.c
c294fc
+++ b/grub-core/lib/LzmaEnc.c
c294fc
@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
c294fc
       }
c294fc
       else
c294fc
       {
c294fc
-        UInt32 posSlot;
c294fc
+        UInt32 posSlot, lenToPosState;
c294fc
         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
c294fc
         p->state = kMatchNextStates[p->state];
c294fc
         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
c294fc
         pos -= LZMA_NUM_REPS;
c294fc
         GetPosSlot(pos, posSlot);
c294fc
-        RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
c294fc
+        lenToPosState = GetLenToPosState(len);
c294fc
+        if (lenToPosState >= kNumLenToPosStates)
c294fc
+        {
c294fc
+          p->result = SZ_ERROR_DATA;
c294fc
+          return CheckErrors(p);
c294fc
+        }
c294fc
+        RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
c294fc
 
c294fc
         if (posSlot >= kStartPosModelIndex)
c294fc
         {
c294fc
-- 
c294fc
2.26.2
c294fc