[Bug 10436] LZMA decompression crash

bugzilla at busybox.net bugzilla at busybox.net
Wed Oct 25 17:48:03 UTC 2017


https://bugs.busybox.net/show_bug.cgi?id=10436

--- Comment #3 from Christoph Biedl <busybox.cskc at manchmal.in-ulm.de> ---
This is actually a regression, introduced with

commit 3989e5adf454a3ab98412b249c2c9bd2a3175ae0 (refs/bisect/bad)
Author: Denys Vlasenko <vda.linux at googlemail.com>
Date:   Mon Jan 9 13:55:11 2017 +0100

    unlzma: fix erroneous "while" instead of "if". Closes 4682

Looking at the last hunk I wild-guessed the patch below. Check
throroughly, I might be horribly wrong.

    Christoph

--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -450,8 +450,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
  IF_NOT_FEATURE_LZMA_FAST(string:)
                        do {
                                uint32_t pos = buffer_pos - rep0;
-                               if ((int32_t)pos < 0)
+                               if ((int32_t)pos < 0) {
                                        pos += header.dict_size;
+                                       if ((int32_t)pos < 0)
+                                               goto bad;
+                               }
                                previous_byte = buffer[pos];
  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
                                buffer[buffer_pos++] = previous_byte;

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list