From 40e261b89b71cb10d8af3d1f5c9ef528592dc657 Mon Sep 17 00:00:00 2001
From: Lidong Chen <lidong.chen@oracle.com>
Date: Thu, 12 Jun 2025 00:03:58 +0000
Subject: [PATCH] lib/LzmaEnc: Validate "len" before subtracting

In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
returns a value of greater or equal to 1, which is assigned to
"len". But since LZMA_MATCH_LEN_MIN == 2, "len" should be validated
before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
when "len" equals to 1.

Fixes: CID 51508

Signed-off-by: Lidong Chen <lidong.chen@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
Reviewed-by: Sudhakar Kuppusamy <sudhakar@linux.ibm.com>
---
 grub-core/lib/LzmaEnc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
index 52b331558..e97cd15a0 100644
--- a/grub-core/lib/LzmaEnc.c
+++ b/grub-core/lib/LzmaEnc.c
@@ -1880,6 +1880,11 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
         UInt32 posSlot, lenToPosState;
         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
         p->state = kMatchNextStates[p->state];
+        if (len < LZMA_MATCH_LEN_MIN)
+        {
+          p->result = SZ_ERROR_DATA;
+          return CheckErrors(p);
+        }
         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
         pos -= LZMA_NUM_REPS;
         GetPosSlot(pos, posSlot);
-- 
2.47.3