lzma: Make sure we don't dereference past array
The two dimensional array p->posSlotEncoder[4][64] is being dereferenced using the GetLenToPosState() macro which checks if len is less than 5, and if so subtracts 2 from it. If len = 0, that is 0 - 2 = 4294967294. Obviously we don't want to dereference that far out so we check if the position found is greater or equal kNumLenToPosStates (4) and bail out. N.B.: Upstream LZMA 18.05 and later has this function completely rewritten without any history. Fixes: CID 51526 Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> Reviewed-by: Daniel Kiper <daniel.kiper@oracle.com>
This commit is contained in:
		
							parent
							
								
									dc052e5ac7
								
							
						
					
					
						commit
						16c0dbf4bc
					
				
					 1 changed files with 8 additions and 2 deletions
				
			
		|  | @ -1877,13 +1877,19 @@ static SRes LzmaEnc_CodeOneBlock(CLzmaEnc *p, Bool useLimits, UInt32 maxPackSize | |||
|       } | ||||
|       else | ||||
|       { | ||||
|         UInt32 posSlot; | ||||
|         UInt32 posSlot, lenToPosState; | ||||
|         RangeEnc_EncodeBit(&p->rc, &p->isRep[p->state], 0); | ||||
|         p->state = kMatchNextStates[p->state]; | ||||
|         LenEnc_Encode2(&p->lenEnc, &p->rc, len - LZMA_MATCH_LEN_MIN, posState, !p->fastMode, p->ProbPrices); | ||||
|         pos -= LZMA_NUM_REPS; | ||||
|         GetPosSlot(pos, posSlot); | ||||
|         RcTree_Encode(&p->rc, p->posSlotEncoder[GetLenToPosState(len)], kNumPosSlotBits, posSlot); | ||||
|         lenToPosState = GetLenToPosState(len); | ||||
|         if (lenToPosState >= kNumLenToPosStates) | ||||
|         { | ||||
|           p->result = SZ_ERROR_DATA; | ||||
|           return CheckErrors(p); | ||||
|         } | ||||
|         RcTree_Encode(&p->rc, p->posSlotEncoder[lenToPosState], kNumPosSlotBits, posSlot); | ||||
| 
 | ||||
|         if (posSlot >= kStartPosModelIndex) | ||||
|         { | ||||
|  |  | |||
		Loading…
	
	Add table
		Add a link
		
	
		Reference in a new issue