summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2018-05-25 17:03:46 +0200
committerDenys Vlasenko <vda.linux@googlemail.com>2018-05-25 17:03:46 +0200
commita36986bb80289c1cd8d15a557e49207c9a42946b (patch)
tree15f40fd0cbd8906b29f14d1871db263445058cdf
parent8f48fc01e9e43d16bf5860fa37252b43c76cb395 (diff)
unlzma: close another SEGV possibility
function old new delta unpack_lzma_stream 2669 2686 +17 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--archival/libarchive/decompress_unlzma.c6
-rwxr-xr-xtestsuite/unzip.tests19
-rw-r--r--testsuite/unzip_bad_lzma_2.zipbin0 -> 96 bytes
3 files changed, 21 insertions, 4 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 446319e7b..6886239d0 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
pos = buffer_pos - rep0;
- if ((int32_t)pos < 0)
+ if ((int32_t)pos < 0) {
pos += header.dict_size;
+ /* see unzip_bad_lzma_2.zip: */
+ if (pos >= buffer_size)
+ goto bad;
+ }
previous_byte = buffer[pos];
goto one_byte1;
#else
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 6bcb6b3a2..af53de9df 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -14,7 +14,7 @@
# Create a scratch directory
mkdir temp
-cd temp || exit 90
+cd temp || exit $?
# Create test file to work with.
@@ -54,9 +54,22 @@ SKIP=
rm -f *
-optional CONFIG_FEATURE_UNZIP_LZMA
-testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
"unzip: removing leading '/' from member names
+unzip: corrupted data
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
+
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: corrupted data
unzip: inflate error
1
" \
diff --git a/testsuite/unzip_bad_lzma_2.zip b/testsuite/unzip_bad_lzma_2.zip
new file mode 100644
index 000000000..cdb917088
--- /dev/null
+++ b/testsuite/unzip_bad_lzma_2.zip
Binary files differ