[git commit] uncompress: fix buffer underrun by corrupted input

Denys Vlasenko vda.linux at googlemail.com
Thu Aug 18 12:29:41 UTC 2011


commit: http://git.busybox.net/busybox/commit/?id=251fc70e9722f931eec23a34030d05ba5f747b0e
branch: http://git.busybox.net/busybox/commit/?id=refs/heads/master

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 archival/libarchive/decompress_uncompress.c |   13 ++++++++-----
 testsuite/uncompress.tests                  |   20 ++++++++++++++++++++
 2 files changed, 28 insertions(+), 5 deletions(-)
 create mode 100755 testsuite/uncompress.tests

diff --git a/archival/libarchive/decompress_uncompress.c b/archival/libarchive/decompress_uncompress.c
index 44d8942..329894b 100644
--- a/archival/libarchive/decompress_uncompress.c
+++ b/archival/libarchive/decompress_uncompress.c
@@ -163,7 +163,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 		if (insize < (int) (IBUFSIZ + 64) - IBUFSIZ) {
 			rsize = safe_read(fd_in, inbuf + insize, IBUFSIZ);
-//error check??
+			if (rsize < 0)
+				bb_error_msg(bb_msg_read_error);
 			insize += rsize;
 		}
 
@@ -195,6 +196,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 
 			if (oldcode == -1) {
+				if (code >= 256)
+					bb_error_msg_and_die("corrupted data"); /* %ld", code); */
 				oldcode = code;
 				finchar = (int) oldcode;
 				outbuf[outpos++] = (unsigned char) finchar;
@@ -239,6 +242,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 			/* Generate output characters in reverse order */
 			while ((long) code >= (long) 256) {
+				if (stackp <= &htabof(0))
+					bb_error_msg_and_die("corrupted data");
 				*--stackp = tab_suffixof(code);
 				code = tab_prefixof(code);
 			}
@@ -263,8 +268,7 @@ unpack_Z_stream(int fd_in, int fd_out)
 						}
 
 						if (outpos >= OBUFSIZ) {
-							full_write(fd_out, outbuf, outpos);
-//error check??
+							xwrite(fd_out, outbuf, outpos);
 							IF_DESKTOP(total_written += outpos;)
 							outpos = 0;
 						}
@@ -292,8 +296,7 @@ unpack_Z_stream(int fd_in, int fd_out)
 	} while (rsize > 0);
 
 	if (outpos > 0) {
-		full_write(fd_out, outbuf, outpos);
-//error check??
+		xwrite(fd_out, outbuf, outpos);
 		IF_DESKTOP(total_written += outpos;)
 	}
 
diff --git a/testsuite/uncompress.tests b/testsuite/uncompress.tests
new file mode 100755
index 0000000..51a2334
--- /dev/null
+++ b/testsuite/uncompress.tests
@@ -0,0 +1,20 @@
+#!/bin/sh
+# Copyright 2011 by Denys Vlasenko
+# Licensed under GPLv2, see file LICENSE in this source tree.
+
+. ./testing.sh
+
+# testing "test name" "commands" "expected result" "file input" "stdin"
+
+testing "uncompress < \x1f\x9d\x90 \x01 x N" \
+'uncompress 2>&1 1>/dev/null; echo $?' \
+"\
+uncompress: corrupted data
+1
+" \
+"" "\
+\x1f\x9d\x90\
+\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\
+"
+
+exit $FAILCOUNT
-- 
1.7.3.4



More information about the busybox-cvs mailing list