diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-11-27 11:52:14 +0100 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-11-27 11:52:14 +0100 |
| commit | e80d04b574456c2248bb38eee5a771dcd65b592c (patch) | |
| tree | 28ce935bb2e2fec549bce5d93793d31d9b3e1313 | |
| parent | f4fc303e3679e4ab0d45f60c31f9b687f27f7452 (diff) | |
| download | busybox-w32-e80d04b574456c2248bb38eee5a771dcd65b592c.tar.gz busybox-w32-e80d04b574456c2248bb38eee5a771dcd65b592c.tar.bz2 busybox-w32-e80d04b574456c2248bb38eee5a771dcd65b592c.zip | |
unlzma: fix too-eager corruption check
function old new delta
unpack_lzma_stream 2686 2674 -12
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | archival/libarchive/decompress_unlzma.c | 20 |
1 files changed, 13 insertions, 7 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 6886239d0..668b01618 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c | |||
| @@ -353,8 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 353 | if ((int32_t)pos < 0) { | 353 | if ((int32_t)pos < 0) { |
| 354 | pos += header.dict_size; | 354 | pos += header.dict_size; |
| 355 | /* see unzip_bad_lzma_2.zip: */ | 355 | /* see unzip_bad_lzma_2.zip: */ |
| 356 | if (pos >= buffer_size) | 356 | if (pos >= buffer_size) { |
| 357 | dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size); | ||
| 357 | goto bad; | 358 | goto bad; |
| 359 | } | ||
| 358 | } | 360 | } |
| 359 | previous_byte = buffer[pos]; | 361 | previous_byte = buffer[pos]; |
| 360 | goto one_byte1; | 362 | goto one_byte1; |
| @@ -430,10 +432,9 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 430 | for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--) | 432 | for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--) |
| 431 | rep0 = (rep0 << 1) | rc_direct_bit(rc); | 433 | rep0 = (rep0 << 1) | rc_direct_bit(rc); |
| 432 | rep0 <<= LZMA_NUM_ALIGN_BITS; | 434 | rep0 <<= LZMA_NUM_ALIGN_BITS; |
| 433 | if ((int32_t)rep0 < 0) { | 435 | // Note: (int32_t)rep0 may be < 0 here |
| 434 | dbg("%d rep0:%d", __LINE__, rep0); | 436 | // (I have linux-3.3.4.tar.lzma which has it). |
| 435 | goto bad; | 437 | // I moved the check after "++rep0 == 0" check below. |
| 436 | } | ||
| 437 | prob3 = p + LZMA_ALIGN; | 438 | prob3 = p + LZMA_ALIGN; |
| 438 | } | 439 | } |
| 439 | i2 = 1; | 440 | i2 = 1; |
| @@ -444,8 +445,13 @@ unpack_lzma_stream(transformer_state_t *xstate) | |||
| 444 | i2 <<= 1; | 445 | i2 <<= 1; |
| 445 | } | 446 | } |
| 446 | } | 447 | } |
| 447 | if (++rep0 == 0) | 448 | rep0++; |
| 448 | break; | 449 | if ((int32_t)rep0 <= 0) { |
| 450 | if (rep0 == 0) | ||
| 451 | break; | ||
| 452 | dbg("%d rep0:%d", __LINE__, rep0); | ||
| 453 | goto bad; | ||
| 454 | } | ||
| 449 | } | 455 | } |
| 450 | 456 | ||
| 451 | len += LZMA_MATCH_MIN_LEN; | 457 | len += LZMA_MATCH_MIN_LEN; |