[Bug 10871] Heap overflow in decompress_unlzma
bugzilla at busybox.net
bugzilla at busybox.net
Wed May 30 13:20:09 UTC 2018
https://bugs.busybox.net/show_bug.cgi?id=10871
--- Comment #20 from Denys Vlasenko <vda.linux at googlemail.com> ---
Because speed. When the check is inside other if(), it usually does not
execute.
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* see unzip_bad_lzma_2.zip: */
if (pos >= buffer_size)
goto bad;
}
I understand your point that it looks like the second condition might also
happen when pos does not overflow, but (1) I want a proof that it's really
possible before I sacrifice decompression speed, and (2) I prefer to have
testcase for the testsuite.
--
You are receiving this mail because:
You are on the CC list for the bug.
More information about the busybox-cvs
mailing list