emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unlzma: fix too-eager corruption check

Browse Source 
function                                             old     new   delta
unpack_lzma_stream                                  2686    2674     -12

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko
2018-11-27 11:52:14 +01:00
parent f4fc303e36
commit e80d04b574
1 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
archival/libarchive/decompress_unlzma.c
View File

@@ -353,8 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* see unzip_bad_lzma_2.zip: */
if (pos >= buffer_size)
if (pos >= buffer_size) {
dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size);
goto bad;
}
}
previous_byte = buffer[pos];
goto one_byte1;
@@ -430,10 +432,9 @@ unpack_lzma_stream(transformer_state_t *xstate)
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
rep0 = (rep0 << 1) | rc_direct_bit(rc);
rep0 <<= LZMA_NUM_ALIGN_BITS;
if ((int32_t)rep0 < 0) {
dbg("%d rep0:%d", __LINE__, rep0);
goto bad;
}
// Note: (int32_t)rep0 may be < 0 here
// (I have linux-3.3.4.tar.lzma which has it).
// I moved the check after "++rep0 == 0" check below.
prob3 = p + LZMA_ALIGN;
}
i2 = 1;
@@ -444,8 +445,13 @@ unpack_lzma_stream(transformer_state_t *xstate)
i2 <<= 1;
}
}
if (++rep0 == 0)
break;
rep0++;
if ((int32_t)rep0 <= 0) {
if (rep0 == 0)
break;
dbg("%d rep0:%d", __LINE__, rep0);
goto bad;
}
}
len += LZMA_MATCH_MIN_LEN;