[git commit] unlzma: fix another SEGV case

Denys Vlasenko vda.linux at googlemail.com
Thu Apr 19 17:30:51 UTC 2018


commit: https://git.busybox.net/busybox/commit/?id=e09c426456cfd030cc868d93bbcb2e0a6933cabb
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

function                                             old     new   delta
unpack_lzma_stream                                  1705    1717     +12

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 archival/libarchive/decompress_unlzma.c |   9 +++++++--
 testsuite/unzip.tests                   |  15 +++++++++++++--
 testsuite/unzip_bad_lzma_1.zip          | Bin 0 -> 229 bytes
 3 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 80a453806..42efd5aa7 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
 	rc_t *rc;
 	int i;
 	uint8_t *buffer;
+	uint32_t buffer_size;
 	uint8_t previous_byte = 0;
 	size_t buffer_pos = 0, global_pos = 0;
 	int len = 0;
@@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
 	if (header.dict_size == 0)
 		header.dict_size++;
 
-	buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+	buffer_size = MIN(header.dst_size, header.dict_size);
+	buffer = xmalloc(buffer_size);
 
 	{
 		int num_probs;
@@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
 				if ((int32_t)pos < 0) {
 					pos += header.dict_size;
 					/* bug 10436 has an example file where this triggers: */
-					if ((int32_t)pos < 0)
+					//if ((int32_t)pos < 0)
+					//	goto bad;
+					/* more stringent test (see unzip_bad_lzma_1.zip): */
+					if (pos >= buffer_size)
 						goto bad;
 				}
 				previous_byte = buffer[pos];
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 2e4becdb8..6bcb6b3a2 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -14,7 +14,7 @@
 # Create a scratch directory
 
 mkdir temp
-cd temp
+cd temp || exit 90
 
 # Create test file to work with.
 
@@ -52,7 +52,18 @@ NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
 "
 SKIP=
 
-rm *
+rm -f *
+
+optional CONFIG_FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
 
 # Clean up scratch directory.
 
diff --git a/testsuite/unzip_bad_lzma_1.zip b/testsuite/unzip_bad_lzma_1.zip
new file mode 100644
index 000000000..1335c96d7
Binary files /dev/null and b/testsuite/unzip_bad_lzma_1.zip differ


More information about the busybox-cvs mailing list