In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
returns a value of greater or equal to 1, which is assigned to
'len'. But since LZMA_MATCH_LEN_MIN == 2, 'len' should be validated
before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
when 'len' equals to 1.
Fixed: CID 51508
Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
---
grub-core/lib/LzmaEnc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
index 52b331558..d74e96303 100644
--- a/grub-core/lib/LzmaEnc.c
+++ b/grub-core/lib/LzmaEnc.c
@@ -1880,6 +1880,11 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool
useLimits, UInt32 maxPackSize
UInt32 posSlot, lenToPosState;
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
p->state = kMatchNextStates[p->state];
+ if (len < LZMA_MATCH_LEN_MIN)
+ {
+ p->result = SZ_ERROR_DATA;
+ return CheckErrors(p);
+ }
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState,
!p->fastMode, p->ProbPrices);
pos -= LZMA_NUM_REPS;
GetPosSlot(pos, posSlot);
--
2.34.1
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
