On 6/10/25 10:47 AM, Lidong Chen wrote:
In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
returns a value of greater or equal to 1, which is assigned to
'len'. But since LZMA_MATCH_LEN_MIN == 2, 'len' should be validated
before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
when 'len' equals to 1.
It seems odd that these internal calls will produce values for len that
the calling code can't use and it ends in an error. Does this happen
when the input data is bad/malformed/etc? Is it considered an error
condition down in those functions when they result in len being set to 1
or 2?
Thanks
Ross
Fixed: CID 51508
Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
---
grub-core/lib/LzmaEnc.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
index 52b331558..d74e96303 100644
--- a/grub-core/lib/LzmaEnc.c
+++ b/grub-core/lib/LzmaEnc.c
@@ -1880,6 +1880,11 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool
useLimits, UInt32 maxPackSize
UInt32 posSlot, lenToPosState;
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
p->state = kMatchNextStates[p->state];
+ if (len < LZMA_MATCH_LEN_MIN)
+ {
+ p->result = SZ_ERROR_DATA;
+ return CheckErrors(p);
+ }
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState,
!p->fastMode, p->ProbPrices);
pos -= LZMA_NUM_REPS;
GetPosSlot(pos, posSlot);
_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel
