summaryrefslogtreecommitdiffhomepage
path: root/archival/libarchive/decompress_unlzma.c
diff options
context:
space:
mode:
authorDenys Vlasenko <vda.linux@googlemail.com>2018-04-19 19:29:49 +0200
committerDenys Vlasenko <vda.linux@googlemail.com>2018-04-19 19:30:51 +0200
commite09c426456cfd030cc868d93bbcb2e0a6933cabb (patch)
treeb14b4e5bae0dd7a502a28fc471d87b68add7b5c4 /archival/libarchive/decompress_unlzma.c
parent2aeb201c9751d4ee82978c623310e14b9e831b94 (diff)
unlzma: fix another SEGV case
function old new delta unpack_lzma_stream 1705 1717 +12 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Diffstat (limited to 'archival/libarchive/decompress_unlzma.c')
-rw-r--r--archival/libarchive/decompress_unlzma.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 80a453806..42efd5aa7 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
rc_t *rc;
int i;
uint8_t *buffer;
+ uint32_t buffer_size;
uint8_t previous_byte = 0;
size_t buffer_pos = 0, global_pos = 0;
int len = 0;
@@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
if (header.dict_size == 0)
header.dict_size++;
- buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+ buffer_size = MIN(header.dst_size, header.dict_size);
+ buffer = xmalloc(buffer_size);
{
int num_probs;
@@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* bug 10436 has an example file where this triggers: */
- if ((int32_t)pos < 0)
+ //if ((int32_t)pos < 0)
+ // goto bad;
+ /* more stringent test (see unzip_bad_lzma_1.zip): */
+ if (pos >= buffer_size)
goto bad;
}
previous_byte = buffer[pos];