diff options
author | Denys Vlasenko <vda.linux@googlemail.com> | 2018-05-25 17:03:46 +0200 |
---|---|---|
committer | Denys Vlasenko <vda.linux@googlemail.com> | 2018-05-25 17:03:46 +0200 |
commit | a36986bb80289c1cd8d15a557e49207c9a42946b (patch) | |
tree | 15f40fd0cbd8906b29f14d1871db263445058cdf | |
parent | 8f48fc01e9e43d16bf5860fa37252b43c76cb395 (diff) |
unlzma: close another SEGV possibility
function old new delta
unpack_lzma_stream 2669 2686 +17
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | archival/libarchive/decompress_unlzma.c | 6 | ||||
-rwxr-xr-x | testsuite/unzip.tests | 19 | ||||
-rw-r--r-- | testsuite/unzip_bad_lzma_2.zip | bin | 0 -> 96 bytes |
3 files changed, 21 insertions, 4 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 446319e7b..6886239d0 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c @@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate) state = state < LZMA_NUM_LIT_STATES ? 9 : 11; pos = buffer_pos - rep0; - if ((int32_t)pos < 0) + if ((int32_t)pos < 0) { pos += header.dict_size; + /* see unzip_bad_lzma_2.zip: */ + if (pos >= buffer_size) + goto bad; + } previous_byte = buffer[pos]; goto one_byte1; #else diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests index 6bcb6b3a2..af53de9df 100755 --- a/testsuite/unzip.tests +++ b/testsuite/unzip.tests @@ -14,7 +14,7 @@ # Create a scratch directory mkdir temp -cd temp || exit 90 +cd temp || exit $? # Create test file to work with. @@ -54,9 +54,22 @@ SKIP= rm -f * -optional CONFIG_FEATURE_UNZIP_LZMA -testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ +optional FEATURE_UNZIP_LZMA +testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \ "unzip: removing leading '/' from member names +unzip: corrupted data +unzip: inflate error +1 +" \ +"" "" +SKIP= + +rm -f * + +optional FEATURE_UNZIP_LZMA +testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \ +"unzip: removing leading '/' from member names +unzip: corrupted data unzip: inflate error 1 " \ diff --git a/testsuite/unzip_bad_lzma_2.zip b/testsuite/unzip_bad_lzma_2.zip Binary files differnew file mode 100644 index 000000000..cdb917088 --- /dev/null +++ b/testsuite/unzip_bad_lzma_2.zip |