unlzma: fix another SEGV case
function old new delta
unpack_lzma_stream 1705 1717 +12
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 80a4538..42efd5a 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -224,6 +224,7 @@
rc_t *rc;
int i;
uint8_t *buffer;
+ uint32_t buffer_size;
uint8_t previous_byte = 0;
size_t buffer_pos = 0, global_pos = 0;
int len = 0;
@@ -253,7 +254,8 @@
if (header.dict_size == 0)
header.dict_size++;
- buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+ buffer_size = MIN(header.dst_size, header.dict_size);
+ buffer = xmalloc(buffer_size);
{
int num_probs;
@@ -464,7 +466,10 @@
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* bug 10436 has an example file where this triggers: */
- if ((int32_t)pos < 0)
+ //if ((int32_t)pos < 0)
+ // goto bad;
+ /* more stringent test (see unzip_bad_lzma_1.zip): */
+ if (pos >= buffer_size)
goto bad;
}
previous_byte = buffer[pos];
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 2e4becd..6bcb6b3 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -14,7 +14,7 @@
# Create a scratch directory
mkdir temp
-cd temp
+cd temp || exit 90
# Create test file to work with.
@@ -52,7 +52,18 @@
"
SKIP=
-rm *
+rm -f *
+
+optional CONFIG_FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
# Clean up scratch directory.
diff --git a/testsuite/unzip_bad_lzma_1.zip b/testsuite/unzip_bad_lzma_1.zip
new file mode 100644
index 0000000..1335c96
--- /dev/null
+++ b/testsuite/unzip_bad_lzma_1.zip
Binary files differ