unlzma: close another SEGV possibility

function old new delta unpack_lzma_stream 2669 2686 +17 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-05-25 17:03:46 +02:00
parent 8f48fc01e9
commit a36986bb80
3 changed files with 21 additions and 4 deletions
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;

 						pos = buffer_pos - rep0;
-						if ((int32_t)pos < 0)
+						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* see unzip_bad_lzma_2.zip: */
+							if (pos >= buffer_size)
+								goto bad;
+						}
 						previous_byte = buffer[pos];
 						goto one_byte1;
 #else