[Bug 10871] Heap overflow in decompress_unlzma

[bugzilla at busybox.net]

https://bugs.busybox.net/show_bug.cgi?id=10871

--- Comment #3 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Radovan Scasny from comment #2)
$ gdb --args ../busybox.nosuid unzip id_000008,sig_11,src_000775,op_havoc,rep_8
-oqd /tmp
(gdb)  run
Starting program: /home/busybox.nosuid unzip
id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp
unzip: removing leading '/' from member names

Program received signal SIGSEGV, Segmentation fault.
0x000a6b9c in unpack_lzma_stream (xstate=0xbefff9d8)
    at
/usr/src/debug/busybox/1.27.2-r0/busybox-1.27.2/archival/libarchive/decompress_unlzma.c:459
459                                     previous_byte = buffer[pos];


The line 459 in actual 1.27.2 source is different:

                        do {
                                uint32_t pos = buffer_pos - rep0;
                                if ((int32_t)pos < 0)
                                        pos += header.dict_size;
                                previous_byte = buffer[pos];
 IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
                                buffer[buffer_pos++] = previous_byte;
                                if (buffer_pos == header.dict_size) {
LINE 459 =====>                         buffer_pos = 0;
                                        global_pos += header.dict_size;

I have hard time debugging a problem for which I have no reproducer. Can you
give me the archive which causes crash on unpack?

Also, please check whether current git crashes too.

-- 
You are receiving this mail because:
You are on the CC list for the bug.