[Bug 10871] Heap overflow in decompress_unlzma

bugzilla at busybox.net bugzilla at busybox.net
Tue Apr 17 13:28:09 UTC 2018


https://bugs.busybox.net/show_bug.cgi?id=10871

--- Comment #7 from Andrej Valek <andrej.valek at siemens.com> ---
Reproducer file from (https://bugs.busybox.net/attachment.cgi?id=7306)

$ busybox unzip id_000008,sig_11,src_000775,op_havoc,rep_8 -oqd /tmp

archival/libarchive/decompress_unlzma.c
256: buffer = xmalloc(MIN(header.dst_size, header.dict_size));
 - header.dst_size = 744
 - header.dict_size = 1694695433
header.dst_size < header.dict_size, so buffer is allocated to
header.dst_size(477)

462:
do {
        uint32_t pos = buffer_pos - rep0;
// buffer_pos = 25, rep0 = 25227794 => pos = 4269739527
        if ((int32_t)pos < 0) {
// 4269739527 += 1694695433 => pos = 1669467664
                pos += header.dict_size;
                if ((int32_t)pos < 0)
                goto bad;
        }
        previous_byte = buffer[pos];
!!! Here is the problem, buffer is allocated to 744, but pos as index has value
1669467664.

I think, the root cause comes more earlier, but a segmentation is only the
result.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list