diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-19 19:29:49 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-19 19:30:51 +0200 |
| commit | e09c426456cfd030cc868d93bbcb2e0a6933cabb (patch) | |
| tree | b14b4e5bae0dd7a502a28fc471d87b68add7b5c4 | |
| parent | 2aeb201c9751d4ee82978c623310e14b9e831b94 (diff) | |
| download | busybox-w32-e09c426456cfd030cc868d93bbcb2e0a6933cabb.tar.gz busybox-w32-e09c426456cfd030cc868d93bbcb2e0a6933cabb.tar.bz2 busybox-w32-e09c426456cfd030cc868d93bbcb2e0a6933cabb.zip | |
unlzma: fix another SEGV case
function old new delta
unpack_lzma_stream 1705 1717 +12
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | archival/libarchive/decompress_unlzma.c | 9 | ||||
| -rwxr-xr-x | testsuite/unzip.tests | 15 | ||||
| -rw-r--r-- | testsuite/unzip_bad_lzma_1.zip | bin | 0 -> 229 bytes |
3 files changed, 20 insertions, 4 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 80a453806..42efd5aa7 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c | |||
| @@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 224 | rc_t *rc; | 224 | rc_t *rc; |
| 225 | int i; | 225 | int i; |
| 226 | uint8_t *buffer; | 226 | uint8_t *buffer; |
| 227 | uint32_t buffer_size; | ||
| 227 | uint8_t previous_byte = 0; | 228 | uint8_t previous_byte = 0; |
| 228 | size_t buffer_pos = 0, global_pos = 0; | 229 | size_t buffer_pos = 0, global_pos = 0; |
| 229 | int len = 0; | 230 | int len = 0; |
| @@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 253 | if (header.dict_size == 0) | 254 | if (header.dict_size == 0) |
| 254 | header.dict_size++; | 255 | header.dict_size++; |
| 255 | 256 | ||
| 256 | buffer = xmalloc(MIN(header.dst_size, header.dict_size)); | 257 | buffer_size = MIN(header.dst_size, header.dict_size); |
| 258 | buffer = xmalloc(buffer_size); | ||
| 257 | 259 | ||
| 258 | { | 260 | { |
| 259 | int num_probs; | 261 | int num_probs; |
| @@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 464 | if ((int32_t)pos < 0) { | 466 | if ((int32_t)pos < 0) { |
| 465 | pos += header.dict_size; | 467 | pos += header.dict_size; |
| 466 | /* bug 10436 has an example file where this triggers: */ | 468 | /* bug 10436 has an example file where this triggers: */ |
| 467 | if ((int32_t)pos < 0) | 469 | //if ((int32_t)pos < 0) |
| 470 | // goto bad; | ||
| 471 | /* more stringent test (see unzip_bad_lzma_1.zip): */ | ||
| 472 | if (pos >= buffer_size) | ||
| 468 | goto bad; | 473 | goto bad; |
| 469 | } | 474 | } |
| 470 | previous_byte = buffer[pos]; | 475 | previous_byte = buffer[pos]; |
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests index 2e4becdb8..6bcb6b3a2 100755 --- a/testsuite/unzip.tests +++ b/testsuite/unzip.tests | |||
| @@ -14,7 +14,7 @@ | |||
| 14 | # Create a scratch directory | 14 | # Create a scratch directory |
| 15 | 15 | ||
| 16 | mkdir temp | 16 | mkdir temp |
| 17 | cd temp | 17 | cd temp || exit 90 |
| 18 | 18 | ||
| 19 | # Create test file to work with. | 19 | # Create test file to work with. |
| 20 | 20 | ||
| @@ -52,7 +52,18 @@ NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM= | |||
| 52 | " | 52 | " |
| 53 | SKIP= | 53 | SKIP= |
| 54 | 54 | ||
| 55 | rm * | 55 | rm -f * |
| 56 | |||
| 57 | optional CONFIG_FEATURE_UNZIP_LZMA | ||
| 58 | testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ | ||
| 59 | "unzip: removing leading '/' from member names | ||
| 60 | unzip: inflate error | ||
| 61 | 1 | ||
| 62 | " \ | ||
| 63 | "" "" | ||
| 64 | SKIP= | ||
| 65 | |||
| 66 | rm -f * | ||
| 56 | 67 | ||
| 57 | # Clean up scratch directory. | 68 | # Clean up scratch directory. |
| 58 | 69 | ||
diff --git a/testsuite/unzip_bad_lzma_1.zip b/testsuite/unzip_bad_lzma_1.zip new file mode 100644 index 000000000..1335c96d7 --- /dev/null +++ b/testsuite/unzip_bad_lzma_1.zip | |||
| Binary files differ | |||