diff options
| author | Denys Vlasenko | 2018-04-19 19:29:49 +0200 |
|---|---|---|
| committer | Denys Vlasenko | 2018-04-19 19:30:51 +0200 |
| commit | e09c426456cfd030cc868d93bbcb2e0a6933cabb (patch) | |
| tree | b14b4e5bae0dd7a502a28fc471d87b68add7b5c4 | |
| parent | 2aeb201c9751d4ee82978c623310e14b9e831b94 (diff) | |
| download | busybox-e09c426456cfd030cc868d93bbcb2e0a6933cabb.zip busybox-e09c426456cfd030cc868d93bbcb2e0a6933cabb.tar.gz | |
unlzma: fix another SEGV case
function old new delta
unpack_lzma_stream 1705 1717 +12
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | archival/libarchive/decompress_unlzma.c | 9 | ||||
| -rwxr-xr-x | testsuite/unzip.tests | 15 | ||||
| -rw-r--r-- | testsuite/unzip_bad_lzma_1.zip | bin | 0 -> 229 bytes |
3 files changed, 20 insertions, 4 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 80a4538..42efd5a 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c @@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate) rc_t *rc; int i; uint8_t *buffer; + uint32_t buffer_size; uint8_t previous_byte = 0; size_t buffer_pos = 0, global_pos = 0; int len = 0; @@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate) if (header.dict_size == 0) header.dict_size++; - buffer = xmalloc(MIN(header.dst_size, header.dict_size)); + buffer_size = MIN(header.dst_size, header.dict_size); + buffer = xmalloc(buffer_size); { int num_probs; @@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate) if ((int32_t)pos < 0) { pos += header.dict_size; /* bug 10436 has an example file where this triggers: */ - if ((int32_t)pos < 0) + //if ((int32_t)pos < 0) + // goto bad; + /* more stringent test (see unzip_bad_lzma_1.zip): */ + if (pos >= buffer_size) goto bad; } previous_byte = buffer[pos]; diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests index 2e4becd..6bcb6b3 100755 --- a/testsuite/unzip.tests +++ b/testsuite/unzip.tests @@ -14,7 +14,7 @@ # Create a scratch directory mkdir temp -cd temp +cd temp || exit 90 # Create test file to work with. @@ -52,7 +52,18 @@ NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM= " SKIP= -rm * +rm -f * + +optional CONFIG_FEATURE_UNZIP_LZMA +testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ +"unzip: removing leading '/' from member names +unzip: inflate error +1 +" \ +"" "" +SKIP= + +rm -f * # Clean up scratch directory. diff --git a/testsuite/unzip_bad_lzma_1.zip b/testsuite/unzip_bad_lzma_1.zip Binary files differnew file mode 100644 index 0000000..1335c96 --- /dev/null +++ b/testsuite/unzip_bad_lzma_1.zip |