unlzma: close another SEGV possibility

function old new delta unpack_lzma_stream 2669 2686 +17 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-05-25 17:03:46 +02:00 · 2018-05-25 17:03:46 +02:00 · a36986bb80
commit a36986bb80
parent 8f48fc01e9
3 changed files with 21 additions and 4 deletions
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;

 						pos = buffer_pos - rep0;
-						if ((int32_t)pos < 0)
+						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* see unzip_bad_lzma_2.zip: */
+							if (pos >= buffer_size)
+								goto bad;
+						}
 						previous_byte = buffer[pos];
 						goto one_byte1;
 #else
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@ -14,7 +14,7 @@
 # Create a scratch directory

 mkdir temp
-cd temp || exit 90
+cd temp || exit $?

 # Create test file to work with.

@ -54,9 +54,22 @@ SKIP=

 rm -f *

-optional CONFIG_FEATURE_UNZIP_LZMA
-testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
 "unzip: removing leading '/' from member names
+unzip: corrupted data
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
+
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: corrupted data
 unzip: inflate error
 1
 " \
--- a/testsuite/unzip_bad_lzma_2.zip
+++ b/testsuite/unzip_bad_lzma_2.zip