[Bug 9491] Infinite loop in unlzma
bugzilla at busybox.net
bugzilla at busybox.net
Mon Jan 9 13:02:46 UTC 2017
https://bugs.busybox.net/show_bug.cgi?id=9491
Denys Vlasenko <vda.linux at googlemail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #1 from Denys Vlasenko <vda.linux at googlemail.com> ---
commit b5ee04c4142c1e4841d2a8a2badcec3128e18f57
Author: Denys Vlasenko <vda.linux at googlemail.com>
Date: Mon Jan 9 13:55:11 2017 +0100
unlzma: fix erroneous "while" instead of "if"
These parts of the code essentially check whether
stepping back by rep0 goes negative or not.
LZMA SDK from lzma1604.7z has the following in the corresponding places:
... = dic[dicPos - rep0 + (dicPos < rep0 ? dicBufSize : 0)]
Clearly, not loop here.
Technically, "while" here works: if condition is false (because pos
underflowed), it iterates once, adds header.dict_size (a.k.a. dicBufSize),
this makes pos positive but smaller than header.dict_size, and loop exits.
Now we'll just check for negative result of subtraction, which is less
code:
function old new delta
unpack_lzma_stream 2659 2641 -18
(I hope 2 Gbyte+ dictionaries won't be in use soon).
...
...
uint32_t pos = buffer_pos - rep0;
- while (pos >= header.dict_size)
+ pos = buffer_pos - rep0;
+ if ((int32_t)pos < 0)
pos += header.dict_size;
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list