[Bug 12896] New: Gzip decompression, erroneous "corrupted data" when extra field length > 16384 bytes, patch included.

bugzilla at busybox.net bugzilla at busybox.net
Tue May 12 17:10:56 UTC 2020


https://bugs.busybox.net/show_bug.cgi?id=12896

            Bug ID: 12896
           Summary: Gzip decompression, erroneous "corrupted data" when
                    extra field length > 16384 bytes, patch included.
           Product: Busybox
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Standard Compliance
          Assignee: unassigned at busybox.net
          Reporter: busybox.dev at lo2.fr
                CC: busybox-cvs at busybox.net
  Target Milestone: ---

Created attachment 8461
  --> https://bugs.busybox.net/attachment.cgi?id=8461&action=edit
busybox_gzip_extra_field.tar.gz

The gzip specificiation allows for an extra field of max size 65535 (0xFFFF)
bytes.

Howevery, when a gzip file contains an extra field of more than 16384 (0x4000),
the decompression erroneously fails with an error message "corrupted data".

In archival/libarchive/decompress_gunzip.c, the code that checks the gzip
header does not check that the extra field length might be over bytebuffer_max.
When that's the case, the top_up(extra field length) function call fails, and
the header check fails.

The included file contains:
  - The patch that fixes the issue
  - Two gzip files, one that triggers the error, and one that does not.

All these files have no right reserved, and can therefore conform to the
relevant licenses of this project.

-- 
You are receiving this mail because:
You are on the CC list for the bug.


More information about the busybox-cvs mailing list