[git commit] unlzma: close another SEGV possibility

Denys Vlasenko vda.linux at googlemail.com
Fri May 25 15:03:46 UTC 2018


commit: https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

function                                             old     new   delta
unpack_lzma_stream                                  2669    2686     +17

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 archival/libarchive/decompress_unlzma.c |   6 +++++-
 testsuite/unzip.tests                   |  19 ++++++++++++++++---
 testsuite/unzip_bad_lzma_2.zip          | Bin 0 -> 96 bytes
 3 files changed, 21 insertions(+), 4 deletions(-)

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 446319e7b..6886239d0 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
 
 						pos = buffer_pos - rep0;
-						if ((int32_t)pos < 0)
+						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* see unzip_bad_lzma_2.zip: */
+							if (pos >= buffer_size)
+								goto bad;
+						}
 						previous_byte = buffer[pos];
 						goto one_byte1;
 #else
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 6bcb6b3a2..af53de9df 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -14,7 +14,7 @@
 # Create a scratch directory
 
 mkdir temp
-cd temp || exit 90
+cd temp || exit $?
 
 # Create test file to work with.
 
@@ -54,9 +54,22 @@ SKIP=
 
 rm -f *
 
-optional CONFIG_FEATURE_UNZIP_LZMA
-testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
 "unzip: removing leading '/' from member names
+unzip: corrupted data
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
+
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: corrupted data
 unzip: inflate error
 1
 " \
diff --git a/testsuite/unzip_bad_lzma_2.zip b/testsuite/unzip_bad_lzma_2.zip
new file mode 100644
index 000000000..cdb917088
Binary files /dev/null and b/testsuite/unzip_bad_lzma_2.zip differ


More information about the busybox-cvs mailing list