|
|
b1bcb2 |
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
|
c4e390 |
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
|
c4e390 |
Date: Thu, 9 Jul 2020 03:05:23 +0000
|
|
|
b1bcb2 |
Subject: [PATCH] lzma: Make sure we don't dereference past array
|
|
|
c4e390 |
|
|
|
c4e390 |
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
|
|
|
c4e390 |
using the GetLenToPosState() macro which checks if len is less than 5,
|
|
|
c4e390 |
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
|
|
|
c4e390 |
Obviously we don't want to dereference that far out so we check if the
|
|
|
c4e390 |
position found is greater or equal kNumLenToPosStates (4) and bail out.
|
|
|
c4e390 |
|
|
|
c4e390 |
N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
|
|
|
c4e390 |
without any history.
|
|
|
c4e390 |
|
|
|
c4e390 |
Fixes: CID 51526
|
|
|
c4e390 |
|
|
|
c4e390 |
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
|
|
|
c4e390 |
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
|
|
|
c4e390 |
Upstream-commit-id: f91e043bda4
|
|
|
c4e390 |
---
|
|
|
c4e390 |
grub-core/lib/LzmaEnc.c | 10 ++++++++--
|
|
|
c4e390 |
1 file changed, 8 insertions(+), 2 deletions(-)
|
|
|
c4e390 |
|
|
|
c4e390 |
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
|
|
|
c4e390 |
index f2ec04a8c28..753e56a95e3 100644
|
|
|
c4e390 |
--- a/grub-core/lib/LzmaEnc.c
|
|
|
c4e390 |
+++ b/grub-core/lib/LzmaEnc.c
|
|
|
c4e390 |
@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
|
|
|
c4e390 |
}
|
|
|
c4e390 |
else
|
|
|
c4e390 |
{
|
|
|
c4e390 |
- UInt32 posSlot;
|
|
|
c4e390 |
+ UInt32 posSlot, lenToPosState;
|
|
|
c4e390 |
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
|
|
|
c4e390 |
p->state = kMatchNextStates[p->state];
|
|
|
c4e390 |
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
|
|
|
c4e390 |
pos -= LZMA_NUM_REPS;
|
|
|
c4e390 |
GetPosSlot(pos, posSlot);
|
|
|
c4e390 |
- RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
|
|
|
c4e390 |
+ lenToPosState = GetLenToPosState(len);
|
|
|
c4e390 |
+ if (lenToPosState >= kNumLenToPosStates)
|
|
|
c4e390 |
+ {
|
|
|
c4e390 |
+ p->result = SZ_ERROR_DATA;
|
|
|
c4e390 |
+ return CheckErrors(p);
|
|
|
c4e390 |
+ }
|
|
|
c4e390 |
+ RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
|
|
|
c4e390 |
|
|
|
c4e390 |
if (posSlot >= kStartPosModelIndex)
|
|
|
c4e390 |
{
|