[Bug 10871] Heap overflow in decompress_unlzma

bugzilla at busybox.net bugzilla at busybox.net
Wed May 30 13:20:09 UTC 2018


https://bugs.busybox.net/show_bug.cgi?id=10871

--- Comment #20 from Denys Vlasenko <vda.linux at googlemail.com> ---
Because speed. When the check is inside other if(), it usually does not
execute.

        if ((int32_t)pos < 0) {
                pos += header.dict_size;
                /* see unzip_bad_lzma_2.zip: */
                if (pos >= buffer_size)
                        goto bad;
        }

I understand your point that it looks like the second condition might also
happen when pos does not overflow, but (1) I want a proof that it's really
possible before I sacrifice decompression speed, and (2) I prefer to have
testcase for the testsuite.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list