From: Lidong Chen Date: Mon, 23 Jun 2025 17:42:32 +0000 (+0000) Subject: Revert "lzma: Make sure we don't dereference past array" X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2f2ed28d5ac31b3239f2916d9906ef02032bc7d7;p=thirdparty%2Fgrub.git Revert "lzma: Make sure we don't dereference past array" Commit 40e261b89b71 (lib/LzmaEnc: Validate "len" before subtracting) ensures that the variable len is at least 2. As a result, GetLenToPosState(len) never returns a value greater than or equal to kNumLenToPosStates, making the changes introduced in the commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array) unreachable and no longer necessary. This reverts commit 16c0dbf4bc6a (lzma: Make sure we don't dereference past array). Fixes: CID 481982 Signed-off-by: Lidong Chen Reviewed-by: Daniel Kiper --- diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c index e97cd15a0..0fb2cf1d4 100644 --- a/grub-core/lib/LzmaEnc.c +++ b/grub-core/lib/LzmaEnc.c @@ -1877,7 +1877,7 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize } else { - UInt32 posSlot, lenToPosState; + UInt32 posSlot; RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0); p->state = kMatchNextStates[p->state]; if (len < LZMA_MATCH_LEN_MIN) @@ -1888,13 +1888,7 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices); pos -= LZMA_NUM_REPS; GetPosSlot(pos, posSlot); - lenToPosState = GetLenToPosState(len); - if (lenToPosState >= kNumLenToPosStates) - { - p->result = SZ_ERROR_DATA; - return CheckErrors(p); - } - RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot); + RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot); if (posSlot >= kStartPosModelIndex) {