]> git.ipfire.org Git - thirdparty/grub.git/commit
lzma: Make sure we don't dereference past array
authorKonrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Thu, 9 Jul 2020 03:05:23 +0000 (03:05 +0000)
committerDaniel Kiper <daniel.kiper@oracle.com>
Wed, 29 Jul 2020 14:55:48 +0000 (16:55 +0200)
commit16c0dbf4bc6a953c41bc7a031b36dfa8e906afea
tree44850ccbd773f6dff88c32d425b87b0d40199f8f
parentdc052e5ac77c727645bef437021bf3268cce6996
lzma: Make sure we don't dereference past array

The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
using the GetLenToPosState() macro which checks if len is less than 5,
and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
Obviously we don't want to dereference that far out so we check if the
position found is greater or equal kNumLenToPosStates (4) and bail out.

N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
without any history.

Fixes: CID 51526
Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
grub-core/lib/LzmaEnc.c