[Bug 10871] Heap overflow in decompress_unlzma

bugzilla at busybox.net bugzilla at busybox.net
Mon Apr 9 02:20:00 UTC 2018


--- Comment #3 from Denys Vlasenko <vda.linux at googlemail.com> ---
(In reply to Radovan Scasny from comment #2)
$ gdb --args ../busybox.nosuid unzip id_000008,sig_11,src_000775,op_havoc,rep_8
-oqd /tmp
(gdb)  run
Starting program: /home/busybox.nosuid unzip
id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp
unzip: removing leading '/' from member names

Program received signal SIGSEGV, Segmentation fault.
0x000a6b9c in unpack_lzma_stream (xstate=0xbefff9d8)
459                                     previous_byte = buffer[pos];

The line 459 in actual 1.27.2 source is different:

                        do {
                                uint32_t pos = buffer_pos - rep0;
                                if ((int32_t)pos < 0)
                                        pos += header.dict_size;
                                previous_byte = buffer[pos];
                                buffer[buffer_pos++] = previous_byte;
                                if (buffer_pos == header.dict_size) {
LINE 459 =====>                         buffer_pos = 0;
                                        global_pos += header.dict_size;

I have hard time debugging a problem for which I have no reproducer. Can you
give me the archive which causes crash on unpack?

Also, please check whether current git crashes too.

You are receiving this mail because:
You are on the CC list for the bug.

More information about the busybox-cvs mailing list