diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-08 20:02:01 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-04-08 20:05:04 +0200 |
| commit | 38ccd6af8abbafff98d458a1c62909acfc09a514 (patch) | |
| tree | 1a4158db5c7e5e98111ff99d4a9078d93b4ccfcc /libbb | |
| parent | 8e2174e9bd836e53c8b9c6e00d1bc6e2a718686e (diff) | |
| download | busybox-w32-38ccd6af8abbafff98d458a1c62909acfc09a514.tar.gz busybox-w32-38ccd6af8abbafff98d458a1c62909acfc09a514.tar.bz2 busybox-w32-38ccd6af8abbafff98d458a1c62909acfc09a514.zip | |
bzip2: fix two crashes on corrupted archives
As it turns out, longjmp'ing into freed stack is not healthy...
function old new delta
unpack_usage_messages - 97 +97
unpack_bz2_stream 369 409 +40
get_next_block 1667 1677 +10
get_bits 156 155 -1
start_bunzip 212 183 -29
bb_show_usage 181 120 -61
------------------------------------------------------------------------------
(add/remove: 1/0 grow/shrink: 2/3 up/down: 147/-91) Total: 56 bytes
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'libbb')
| -rw-r--r-- | libbb/appletlib.c | 17 |
1 files changed, 12 insertions, 5 deletions
diff --git a/libbb/appletlib.c b/libbb/appletlib.c index 022455da4..769b7881c 100644 --- a/libbb/appletlib.c +++ b/libbb/appletlib.c | |||
| @@ -102,14 +102,21 @@ static const char *unpack_usage_messages(void) | |||
| 102 | char *outbuf = NULL; | 102 | char *outbuf = NULL; |
| 103 | bunzip_data *bd; | 103 | bunzip_data *bd; |
| 104 | int i; | 104 | int i; |
| 105 | jmp_buf jmpbuf; | ||
| 105 | 106 | ||
| 106 | i = start_bunzip(&bd, | 107 | /* Setup for I/O error handling via longjmp */ |
| 108 | i = setjmp(jmpbuf); | ||
| 109 | if (i == 0) { | ||
| 110 | i = start_bunzip(&jmpbuf, | ||
| 111 | &bd, | ||
| 107 | /* src_fd: */ -1, | 112 | /* src_fd: */ -1, |
| 108 | /* inbuf: */ packed_usage, | 113 | /* inbuf: */ packed_usage, |
| 109 | /* len: */ sizeof(packed_usage)); | 114 | /* len: */ sizeof(packed_usage) |
| 110 | /* read_bunzip can longjmp to start_bunzip, and ultimately | 115 | ); |
| 111 | * end up here with i != 0 on read data errors! Not trivial */ | 116 | } |
| 112 | if (!i) { | 117 | /* read_bunzip can longjmp and end up here with i != 0 |
| 118 | * on read data errors! Not trivial */ | ||
| 119 | if (i == 0) { | ||
| 113 | /* Cannot use xmalloc: will leak bd in NOFORK case! */ | 120 | /* Cannot use xmalloc: will leak bd in NOFORK case! */ |
| 114 | outbuf = malloc_or_warn(sizeof(UNPACKED_USAGE)); | 121 | outbuf = malloc_or_warn(sizeof(UNPACKED_USAGE)); |
| 115 | if (outbuf) | 122 | if (outbuf) |