lzma: Make sure we don't dereference past array
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced using the GetLenToPosState() macro which checks if len is less than 5, and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. Obviously we don't want to dereference that far out so we check if the position found is greater or equal kNumLenToPosStates (4) and bail out. N.B.: Upstream LZMA 18.05 and later has this function completely rewritten without any history. Fixes: CID 51526 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
parent
dc052e5ac7
commit
16c0dbf4bc
1 changed files with 8 additions and 2 deletions
|
@ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize
|
||||||
}
|
}
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
UInt32 posSlot;
|
UInt32 posSlot, lenToPosState;
|
||||||
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
|
RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0);
|
||||||
p->state = kMatchNextStates[p->state];
|
p->state = kMatchNextStates[p->state];
|
||||||
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
|
LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices);
|
||||||
pos -= LZMA_NUM_REPS;
|
pos -= LZMA_NUM_REPS;
|
||||||
GetPosSlot(pos, posSlot);
|
GetPosSlot(pos, posSlot);
|
||||||
RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot);
|
lenToPosState = GetLenToPosState(len);
|
||||||
|
if (lenToPosState >= kNumLenToPosStates)
|
||||||
|
{
|
||||||
|
p->result = SZ_ERROR_DATA;
|
||||||
|
return CheckErrors(p);
|
||||||
|
}
|
||||||
|
RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot);
|
||||||
|
|
||||||
if (posSlot >= kStartPosModelIndex)
|
if (posSlot >= kStartPosModelIndex)
|
||||||
{
|
{
|
||||||
|
|
Loading…
Reference in a new issue