uncompress: fix buffer underrun by corrupted input
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
b1611d9a46
commit
251fc70e97
@ -163,7 +163,8 @@ unpack_Z_stream(int fd_in, int fd_out)
|
||||
|
||||
if (insize < (int) (IBUFSIZ + 64) - IBUFSIZ) {
|
||||
rsize = safe_read(fd_in, inbuf + insize, IBUFSIZ);
|
||||
//error check??
|
||||
if (rsize < 0)
|
||||
bb_error_msg(bb_msg_read_error);
|
||||
insize += rsize;
|
||||
}
|
||||
|
||||
@ -195,6 +196,8 @@ unpack_Z_stream(int fd_in, int fd_out)
|
||||
|
||||
|
||||
if (oldcode == -1) {
|
||||
if (code >= 256)
|
||||
bb_error_msg_and_die("corrupted data"); /* %ld", code); */
|
||||
oldcode = code;
|
||||
finchar = (int) oldcode;
|
||||
outbuf[outpos++] = (unsigned char) finchar;
|
||||
@ -239,6 +242,8 @@ unpack_Z_stream(int fd_in, int fd_out)
|
||||
|
||||
/* Generate output characters in reverse order */
|
||||
while ((long) code >= (long) 256) {
|
||||
if (stackp <= &htabof(0))
|
||||
bb_error_msg_and_die("corrupted data");
|
||||
*--stackp = tab_suffixof(code);
|
||||
code = tab_prefixof(code);
|
||||
}
|
||||
@ -263,8 +268,7 @@ unpack_Z_stream(int fd_in, int fd_out)
|
||||
}
|
||||
|
||||
if (outpos >= OBUFSIZ) {
|
||||
full_write(fd_out, outbuf, outpos);
|
||||
//error check??
|
||||
xwrite(fd_out, outbuf, outpos);
|
||||
IF_DESKTOP(total_written += outpos;)
|
||||
outpos = 0;
|
||||
}
|
||||
@ -292,8 +296,7 @@ unpack_Z_stream(int fd_in, int fd_out)
|
||||
} while (rsize > 0);
|
||||
|
||||
if (outpos > 0) {
|
||||
full_write(fd_out, outbuf, outpos);
|
||||
//error check??
|
||||
xwrite(fd_out, outbuf, outpos);
|
||||
IF_DESKTOP(total_written += outpos;)
|
||||
}
|
||||
|
||||
|
20
testsuite/uncompress.tests
Executable file
20
testsuite/uncompress.tests
Executable file
@ -0,0 +1,20 @@
|
||||
#!/bin/sh
|
||||
# Copyright 2011 by Denys Vlasenko
|
||||
# Licensed under GPLv2, see file LICENSE in this source tree.
|
||||
|
||||
. ./testing.sh
|
||||
|
||||
# testing "test name" "commands" "expected result" "file input" "stdin"
|
||||
|
||||
testing "uncompress < \x1f\x9d\x90 \x01 x N" \
|
||||
'uncompress 2>&1 1>/dev/null; echo $?' \
|
||||
"\
|
||||
uncompress: corrupted data
|
||||
1
|
||||
" \
|
||||
"" "\
|
||||
\x1f\x9d\x90\
|
||||
\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\01\
|
||||
"
|
||||
|
||||
exit $FAILCOUNT
|
Loading…
x
Reference in New Issue
Block a user