Blame SOURCES/0308-lzma-Make-sure-we-don-t-dereference-past-array.patch

b1bcb2
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
c4e390
From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
c4e390
Date: Thu, 9 Jul 2020 03:05:23 +0000
b1bcb2
Subject: [PATCH] lzma: Make sure we don't dereference past array
c4e390
c4e390
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
c4e390
using the GetLenToPosState() macro which checks if len is less than 5,
c4e390
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
c4e390
Obviously we don't want to dereference that far out so we check if the
c4e390
position found is greater or equal kNumLenToPosStates (4) and bail out.
c4e390
c4e390
N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
c4e390
without any history.
c4e390
c4e390
Fixes: CID 51526
c4e390
c4e390
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
c4e390
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
c4e390
Upstream-commit-id: f91e043bda4
c4e390
---
c4e390
 grub-core/lib/LzmaEnc.c | 10 ++++++++--
c4e390
 1 file changed, 8 insertions(+), 2 deletions(-)
c4e390
c4e390
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
c4e390
index f2ec04a8c28..753e56a95e3 100644
c4e390
--- a/grub-core/lib/LzmaEnc.c
c4e390
+++ b/grub-core/lib/LzmaEnc.c
c4e390
@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
c4e390
       }
c4e390
       else
c4e390
       {
c4e390
-        UInt32 posSlot;
c4e390
+        UInt32 posSlot, lenToPosState;
c4e390
         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
c4e390
         p->state = kMatchNextStates[p->state];
c4e390
         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
c4e390
         pos -= LZMA_NUM_REPS;
c4e390
         GetPosSlot(pos, posSlot);
c4e390
-        RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
c4e390
+        lenToPosState = GetLenToPosState(len);
c4e390
+        if (lenToPosState >= kNumLenToPosStates)
c4e390
+        {
c4e390
+          p->result = SZ_ERROR_DATA;
c4e390
+          return CheckErrors(p);
c4e390
+        }
c4e390
+        RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
c4e390
 
c4e390
         if (posSlot >= kStartPosModelIndex)
c4e390
         {