unlzma: fix too-eager corruption check
function old new delta unpack_lzma_stream 2686 2674 -12 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
parent
f4fc303e36
commit
e80d04b574
@ -353,8 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
|
|||||||
if ((int32_t)pos < 0) {
|
if ((int32_t)pos < 0) {
|
||||||
pos += header.dict_size;
|
pos += header.dict_size;
|
||||||
/* see unzip_bad_lzma_2.zip: */
|
/* see unzip_bad_lzma_2.zip: */
|
||||||
if (pos >= buffer_size)
|
if (pos >= buffer_size) {
|
||||||
|
dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size);
|
||||||
goto bad;
|
goto bad;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
previous_byte = buffer[pos];
|
previous_byte = buffer[pos];
|
||||||
goto one_byte1;
|
goto one_byte1;
|
||||||
@ -430,10 +432,9 @@ unpack_lzma_stream(transformer_state_t *xstate)
|
|||||||
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
|
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
|
||||||
rep0 = (rep0 << 1) | rc_direct_bit(rc);
|
rep0 = (rep0 << 1) | rc_direct_bit(rc);
|
||||||
rep0 <<= LZMA_NUM_ALIGN_BITS;
|
rep0 <<= LZMA_NUM_ALIGN_BITS;
|
||||||
if ((int32_t)rep0 < 0) {
|
// Note: (int32_t)rep0 may be < 0 here
|
||||||
dbg("%d rep0:%d", __LINE__, rep0);
|
// (I have linux-3.3.4.tar.lzma which has it).
|
||||||
goto bad;
|
// I moved the check after "++rep0 == 0" check below.
|
||||||
}
|
|
||||||
prob3 = p + LZMA_ALIGN;
|
prob3 = p + LZMA_ALIGN;
|
||||||
}
|
}
|
||||||
i2 = 1;
|
i2 = 1;
|
||||||
@ -444,8 +445,13 @@ unpack_lzma_stream(transformer_state_t *xstate)
|
|||||||
i2 <<= 1;
|
i2 <<= 1;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if (++rep0 == 0)
|
rep0++;
|
||||||
break;
|
if ((int32_t)rep0 <= 0) {
|
||||||
|
if (rep0 == 0)
|
||||||
|
break;
|
||||||
|
dbg("%d rep0:%d", __LINE__, rep0);
|
||||||
|
goto bad;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
len += LZMA_MATCH_MIN_LEN;
|
len += LZMA_MATCH_MIN_LEN;
|
||||||
|
Loading…
Reference in New Issue
Block a user