diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-05-25 17:03:46 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-05-25 17:03:46 +0200 |
| commit | a36986bb80289c1cd8d15a557e49207c9a42946b (patch) | |
| tree | 15f40fd0cbd8906b29f14d1871db263445058cdf | |
| parent | 8f48fc01e9e43d16bf5860fa37252b43c76cb395 (diff) | |
| download | busybox-w32-a36986bb80289c1cd8d15a557e49207c9a42946b.tar.gz busybox-w32-a36986bb80289c1cd8d15a557e49207c9a42946b.tar.bz2 busybox-w32-a36986bb80289c1cd8d15a557e49207c9a42946b.zip | |
unlzma: close another SEGV possibility
function old new delta
unpack_lzma_stream 2669 2686 +17
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | archival/libarchive/decompress_unlzma.c | 6 | ||||
| -rwxr-xr-x | testsuite/unzip.tests | 19 | ||||
| -rw-r--r-- | testsuite/unzip_bad_lzma_2.zip | bin | 0 -> 96 bytes |
3 files changed, 21 insertions, 4 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 446319e7b..6886239d0 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c | |||
| @@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 350 | state = state < LZMA_NUM_LIT_STATES ? 9 : 11; | 350 | state = state < LZMA_NUM_LIT_STATES ? 9 : 11; |
| 351 | 351 | ||
| 352 | pos = buffer_pos - rep0; | 352 | pos = buffer_pos - rep0; |
| 353 | if ((int32_t)pos < 0) | 353 | if ((int32_t)pos < 0) { |
| 354 | pos += header.dict_size; | 354 | pos += header.dict_size; |
| 355 | /* see unzip_bad_lzma_2.zip: */ | ||
| 356 | if (pos >= buffer_size) | ||
| 357 | goto bad; | ||
| 358 | } | ||
| 355 | previous_byte = buffer[pos]; | 359 | previous_byte = buffer[pos]; |
| 356 | goto one_byte1; | 360 | goto one_byte1; |
| 357 | #else | 361 | #else |
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests index 6bcb6b3a2..af53de9df 100755 --- a/testsuite/unzip.tests +++ b/testsuite/unzip.tests | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | # Create a scratch directory | 14 | # Create a scratch directory |
| 15 | 15 | ||
| 16 | mkdir temp | 16 | mkdir temp |
| 17 | cd temp || exit 90 | 17 | cd temp || exit $? |
| 18 | 18 | ||
| 19 | # Create test file to work with. | 19 | # Create test file to work with. |
| 20 | 20 | ||
| @@ -54,9 +54,22 @@ SKIP= | |||
| 54 | 54 | ||
| 55 | rm -f * | 55 | rm -f * |
| 56 | 56 | ||
| 57 | optional CONFIG_FEATURE_UNZIP_LZMA | 57 | optional FEATURE_UNZIP_LZMA |
| 58 | testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ | 58 | testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ |
| 59 | "unzip: removing leading '/' from member names | 59 | "unzip: removing leading '/' from member names |
| 60 | unzip: corrupted data | ||
| 61 | unzip: inflate error | ||
| 62 | 1 | ||
| 63 | " \ | ||
| 64 | "" "" | ||
| 65 | SKIP= | ||
| 66 | |||
| 67 | rm -f * | ||
| 68 | |||
| 69 | optional FEATURE_UNZIP_LZMA | ||
| 70 | testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \ | ||
| 71 | "unzip: removing leading '/' from member names | ||
| 72 | unzip: corrupted data | ||
| 60 | unzip: inflate error | 73 | unzip: inflate error |
| 61 | 1 | 74 | 1 |
| 62 | " \ | 75 | " \ |
diff --git a/testsuite/unzip_bad_lzma_2.zip b/testsuite/unzip_bad_lzma_2.zip new file mode 100644 index 000000000..cdb917088 --- /dev/null +++ b/testsuite/unzip_bad_lzma_2.zip | |||
| Binary files differ | |||