[git commit] unlzma: fix too-eager corruption check
Denys Vlasenko
vda.linux at googlemail.com
Tue Nov 27 10:52:14 UTC 2018
commit: https://git.busybox.net/busybox/commit/?id=e80d04b574456c2248bb38eee5a771dcd65b592c
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master
function old new delta
unpack_lzma_stream 2686 2674 -12
Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
archival/libarchive/decompress_unlzma.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 6886239d0..668b01618 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -353,8 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* see unzip_bad_lzma_2.zip: */
- if (pos >= buffer_size)
+ if (pos >= buffer_size) {
+ dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size);
goto bad;
+ }
}
previous_byte = buffer[pos];
goto one_byte1;
@@ -430,10 +432,9 @@ unpack_lzma_stream(transformer_state_t *xstate)
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
rep0 = (rep0 << 1) | rc_direct_bit(rc);
rep0 <<= LZMA_NUM_ALIGN_BITS;
- if ((int32_t)rep0 < 0) {
- dbg("%d rep0:%d", __LINE__, rep0);
- goto bad;
- }
+ // Note: (int32_t)rep0 may be < 0 here
+ // (I have linux-3.3.4.tar.lzma which has it).
+ // I moved the check after "++rep0 == 0" check below.
prob3 = p + LZMA_ALIGN;
}
i2 = 1;
@@ -444,8 +445,13 @@ unpack_lzma_stream(transformer_state_t *xstate)
i2 <<= 1;
}
}
- if (++rep0 == 0)
- break;
+ rep0++;
+ if ((int32_t)rep0 <= 0) {
+ if (rep0 == 0)
+ break;
+ dbg("%d rep0:%d", __LINE__, rep0);
+ goto bad;
+ }
}
len += LZMA_MATCH_MIN_LEN;
More information about the busybox-cvs
mailing list