unlzma: fix a case where we could read before beginning of buffer

Testcase: 21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6 00 17 02 10 11 0f ff 00 16 00 00 Unfortunately, the bug is not reliably causing a segfault, the behavior depends on what's in memory before the buffer. function old new delta unpack_lzma_stream 2762 2768 +6 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> (cherry picked from commit 04f052c56ded5ab6a904e3a264a73dc0412b2e78)
author: Denys Vlasenko <vda.linux@googlemail.com> 2021-06-15 15:07:57 +0200
committer: Denys Vlasenko <vda.linux@googlemail.com> 2021-11-23 05:31:30 +0100
commit: d326be2850ea2bd78fe2c22d6c45c3b861d82937 (patch)
tree: dc1393b34692db7081d266e70b2fb03a32ac66e8
parent: bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 (diff)
download: busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.tar.gz
busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.tar.bz2
busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.zip
3 files changed, 17 insertions, 5 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 0744f231a..fb5aac8fe 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
                                uint32_t pos;
                                pos = buffer_pos - rep0;
-                                if ((int32_t)pos < 0)
+                                if ((int32_t)pos < 0) {
                                        pos += header.dict_size;
+                                        if ((int32_t)pos < 0)
+                                                goto bad;
+                                }
                                match_byte = buffer[pos];
                                do {
                                        int bit;
diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests
index 0e98afe09..fcc6e9441 100755
--- a/testsuite/unlzma.tests
+++ b/testsuite/unlzma.tests
@@ -8,14 +8,23 @@
 # Damaged encrypted streams
 testing "unlzma (bad archive 1)" \
-        "unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
+        "unlzma <unlzma_issue_1.lzma 2>&1 >/dev/null; echo \$?" \
-"1
+"unlzma: corrupted data
+1
 " "" ""
 # Damaged encrypted streams
 testing "unlzma (bad archive 2)" \
-        "unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
+        "unlzma <unlzma_issue_2.lzma 2>&1 >/dev/null; echo \$?" \
-"1
+"unlzma: corrupted data
+1
+" "" ""
+# Damaged encrypted streams
+testing "unlzma (bad archive 3)" \
+        "unlzma <unlzma_issue_3.lzma 2>&1 >/dev/null; echo \$?" \
+"unlzma: corrupted data
+1
 " "" ""
 exit $FAILCOUNT
diff --git a/testsuite/unlzma_issue_3.lzma b/testsuite/unlzma_issue_3.lzma
new file mode 100644
index 000000000..cc60f29e4
--- /dev/null
+++ b/testsuite/unlzma_issue_3.lzma
Binary files differ
author	Denys Vlasenko <vda.linux@googlemail.com>	2021-06-15 15:07:57 +0200
committer	Denys Vlasenko <vda.linux@googlemail.com>	2021-11-23 05:31:30 +0100
commit	d326be2850ea2bd78fe2c22d6c45c3b861d82937 (patch)
tree	dc1393b34692db7081d266e70b2fb03a32ac66e8
parent	bcc5b0e6caca6c7602a6a41faa5f980292e0fbc5 (diff)
download	busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.tar.gz busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.tar.bz2 busybox-w32-d326be2850ea2bd78fe2c22d6c45c3b861d82937.zip