unlzma: fix too-eager corruption check
function old new delta
unpack_lzma_stream 2686 2674 -12
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 6886239..668b016 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -353,8 +353,10 @@
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* see unzip_bad_lzma_2.zip: */
- if (pos >= buffer_size)
+ if (pos >= buffer_size) {
+ dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size);
goto bad;
+ }
}
previous_byte = buffer[pos];
goto one_byte1;
@@ -430,10 +432,9 @@
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
rep0 = (rep0 << 1) | rc_direct_bit(rc);
rep0 <<= LZMA_NUM_ALIGN_BITS;
- if ((int32_t)rep0 < 0) {
- dbg("%d rep0:%d", __LINE__, rep0);
- goto bad;
- }
+ // Note: (int32_t)rep0 may be < 0 here
+ // (I have linux-3.3.4.tar.lzma which has it).
+ // I moved the check after "++rep0 == 0" check below.
prob3 = p + LZMA_ALIGN;
}
i2 = 1;
@@ -444,8 +445,13 @@
i2 <<= 1;
}
}
- if (++rep0 == 0)
- break;
+ rep0++;
+ if ((int32_t)rep0 <= 0) {
+ if (rep0 == 0)
+ break;
+ dbg("%d rep0:%d", __LINE__, rep0);
+ goto bad;
+ }
}
len += LZMA_MATCH_MIN_LEN;