1From 78829f0c230680e386fff9f420bb1631bc20f761 Mon Sep 17 00:00:00 2001
2From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
3Date: Thu, 9 Jul 2020 03:05:23 +0000
4Subject: [PATCH] lzma: Make sure we don't dereference past array
5MIME-Version: 1.0
6Content-Type: text/plain; charset=UTF-8
7Content-Transfer-Encoding: 8bit
8
9The two dimensional array p->posSlotEncoder[4][64] is being dereferenced
10using the GetLenToPosState() macro which checks if len is less than 5,
11and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294.
12Obviously we don't want to dereference that far out so we check if the
13position found is greater or equal kNumLenToPosStates (4) and bail out.
14
15N.B.: Upstream LZMA 18.05 and later has this function completely rewritten
16without any history.
17
18Fixes: CID 51526
19
20Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com>
21Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
22Signed-off-by: Stefan Sørensen <stefan.sorensen@spectralink.com>
23---
24 grub-core/lib/LzmaEnc.c | 10 ++++++++--
25 1 file changed, 8 insertions(+), 2 deletions(-)
26
27diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
28index f2ec04a8c..753e56a95 100644
29--- a/grub-core/lib/LzmaEnc.c
30+++ b/grub-core/lib/LzmaEnc.c
31@@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
32       }
33       else
34       {
35-        UInt32 posSlot;
36+        UInt32 posSlot, lenToPosState;
37         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
38         p->state = kMatchNextStates[p->state];
39         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
40         pos -= LZMA_NUM_REPS;
41         GetPosSlot(pos, posSlot);
42-        RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
43+        lenToPosState = GetLenToPosState(len);
44+        if (lenToPosState >= kNumLenToPosStates)
45+        {
46+          p->result = SZ_ERROR_DATA;
47+          return CheckErrors(p);
48+        }
49+        RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
50
51         if (posSlot >= kStartPosModelIndex)
52         {
53--
542.26.2
55
56