unlzma: close another SEGV possibility

function                                             old     new   delta
unpack_lzma_stream                                  2669    2686     +17

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

archival/libarchive/decompress_unlzma.c

@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
 
 						pos = buffer_pos - rep0;
-						if ((int32_t)pos < 0)
+						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* see unzip_bad_lzma_2.zip: */
+							if (pos >= buffer_size)
+								goto bad;
+						}
 						previous_byte = buffer[pos];
 						goto one_byte1;
 #else

testsuite/unzip.tests

@@ -14,7 +14,7 @@
 # Create a scratch directory
 
 mkdir temp
-cd temp || exit 90
+cd temp || exit $?
 
 # Create test file to work with.
 
@@ -54,9 +54,22 @@ SKIP=
 
 rm -f *
 
-optional CONFIG_FEATURE_UNZIP_LZMA
+optional FEATURE_UNZIP_LZMA
-testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
 "unzip: removing leading '/' from member names
+unzip: corrupted data
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
+
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: corrupted data
 unzip: inflate error
 1
 " \