[Bug 10871] Heap overflow in decompress_unlzma
bugzilla at busybox.net
bugzilla at busybox.net
Mon Apr 9 02:20:00 UTC 2018
https://bugs.busybox.net/show_bug.cgi?id=10871
--- Comment #3 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Radovan Scasny from comment #2)
$ gdb --args ../busybox.nosuid unzip id_000008,sig_11,src_000775,op_havoc,rep_8
-oqd /tmp
(gdb) run
Starting program: /home/busybox.nosuid unzip
id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp
unzip: removing leading '/' from member names
Program received signal SIGSEGV, Segmentation fault.
0x000a6b9c in unpack_lzma_stream (xstate=0xbefff9d8)
at
/usr/src/debug/busybox/1.27.2-r0/busybox-1.27.2/archival/libarchive/decompress_unlzma.c:459
459 previous_byte = buffer[pos];
The line 459 in actual 1.27.2 source is different:
do {
uint32_t pos = buffer_pos - rep0;
if ((int32_t)pos < 0)
pos += header.dict_size;
previous_byte = buffer[pos];
IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
buffer[buffer_pos++] = previous_byte;
if (buffer_pos == header.dict_size) {
LINE 459 =====> buffer_pos = 0;
global_pos += header.dict_size;
I have hard time debugging a problem for which I have no reproducer. Can you
give me the archive which causes crash on unpack?
Also, please check whether current git crashes too.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list