Re: [PATCH] lib/LzmaEnc: Validate 'len' before subtracting

Tue, 10 Jun 2025 18:21:23 -0700 


> On Jun 10, 2025, at 11:13 AM, Ross Philipson <ross.philip...@oracle.com> 
> wrote:
> 
> On 6/10/25 10:47 AM, Lidong Chen wrote:
>> In LzmaEnc_CodeOneBlock(), both GetOptimumFast() and GetOptimum()
>> returns a value of greater or equal to 1, which is assigned to
>> 'len'. But since LZMA_MATCH_LEN_MIN == 2, 'len' should be validated
>> before performing "len - LZMA_MATCH_LEN_MIN" to avoid underflow
>> when 'len' equals to 1.
> 
> It seems odd that these internal calls will produce values for len that the 
> calling code can't use and it ends in an error. Does this happen when the 
> input data is bad/malformed/etc? Is it considered an error condition down in 
> those functions when they result in len being set to 1 or 2?

It looks to me that the call to GetOptimum() or GetOptimumFast() returns an 
encoding
decision, not the condition of the input data (line 1840 & 1871).  

    if (p->fastMode)
      len = GetOptimumFast(p, &pos);
    else
      len = GetOptimum(p, nowPos32, &pos);

    if (len == 1 && pos == 0xFFFFFFFF)
    {
1840  p->state = kLiteralNextStates[p->state];
    }
    else
    {
      if (pos < LZMA_NUM_REPS)
      {
           if (len == 1)
1871      p->state = kShortRepNextStates[p->state];
      }
      else
      {
        LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, 
!p->fastMode, p->ProbPrices);
      }
    }


Thanks,
Lidong


> 
> Thanks
> Ross
> 
>> Fixed: CID 51508
>> Signed-off-by: Lidong Chen <lidong.c...@oracle.com>
>> ---
>>  grub-core/lib/LzmaEnc.c | 5 +++++
>>  1 file changed, 5 insertions(+)
>> diff --git a/grub-core/lib/LzmaEnc.c b/grub-core/lib/LzmaEnc.c
>> index 52b331558..d74e96303 100644
>> --- a/grub-core/lib/LzmaEnc.c
>> +++ b/grub-core/lib/LzmaEnc.c
>> @@ -1880,6 +1880,11 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool 
>> useLimits, UInt32 maxPackSize
>>          UInt32 posSlot, lenToPosState;
>>          RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
>>          p->state = kMatchNextStates[p->state];
>> + if (len < LZMA_MATCH_LEN_MIN)
>> +  {
>> +    p->result = SZ_ERROR_DATA;
>> +    return CheckErrors(p);
>> +  }
>>          LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, 
>> posState, !p->fastMode, p->ProbPrices);
>>          pos -= LZMA_NUM_REPS;
>>          GetPosSlot(pos, posSlot);
> 

_______________________________________________
Grub-devel mailing list
Grub-devel@gnu.org
https://lists.gnu.org/mailman/listinfo/grub-devel

Reply via email to