[git commit] unlzma: fix segfault on bad archive

Denys Vlasenko vda.linux at googlemail.com
Sun Apr 8 18:45:16 UTC 2018


commit: https://git.busybox.net/busybox/commit/?id=a1870f4807a75663a085c9f5e92870fa7554f0ad
branch: https://git.busybox.net/busybox/commit/?id=refs/heads/master

function                                             old     new   delta
unpack_lzma_stream                                  2647    2653      +6

Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
---
 archival/libarchive/decompress_unlzma.c |  11 +++++++++++
 testsuite/unlzma.tests                  |  21 +++++++++++++++++++++
 testsuite/unlzma_issue_1.lzma           | Bin 0 -> 171 bytes
 testsuite/unlzma_issue_2.lzma           | Bin 0 -> 261 bytes
 4 files changed, 32 insertions(+)

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index be4342414..80a453806 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -11,6 +11,13 @@
 #include "libbb.h"
 #include "bb_archive.h"
 
+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+
 #if ENABLE_FEATURE_LZMA_FAST
 #  define speed_inline ALWAYS_INLINE
 #  define size_inline
@@ -417,6 +424,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
 						rep0 <<= LZMA_NUM_ALIGN_BITS;
+						if ((int32_t)rep0 < 0) {
+							dbg("%d rep0:%d", __LINE__, rep0);
+							goto bad;
+						}
 						prob3 = p + LZMA_ALIGN;
 					}
 					i2 = 1;
diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests
new file mode 100755
index 000000000..0e98afe09
--- /dev/null
+++ b/testsuite/unlzma.tests
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+. ./testing.sh
+
+# testing "test name" "commands" "expected result" "file input" "stdin"
+#   file input will be file called "input"
+#   test can create a file "actual" instead of writing to stdout
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 1)" \
+	"unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 2)" \
+	"unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+exit $FAILCOUNT
diff --git a/testsuite/unlzma_issue_1.lzma b/testsuite/unlzma_issue_1.lzma
new file mode 100644
index 000000000..fb70104ba
Binary files /dev/null and b/testsuite/unlzma_issue_1.lzma differ
diff --git a/testsuite/unlzma_issue_2.lzma b/testsuite/unlzma_issue_2.lzma
new file mode 100644
index 000000000..853f0fc29
Binary files /dev/null and b/testsuite/unlzma_issue_2.lzma differ


More information about the busybox-cvs mailing list