From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Mon, 26 Oct 2015 19:33:05 +0100 Subject: [PATCH] unzip: test for bad archive SEGVing function old new delta huft_build 1296 1300 +4 Signed-off-by: Denys Vlasenko --- archival/libarchive/decompress_gunzip.c | 11 +++++++---- testsuite/unzip.tests | 23 ++++++++++++++++++++++- 2 files changed, 29 insertions(+), 5 deletions(-) diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c index 7b6f45934..30bf45154 100644 --- a/archival/libarchive/decompress_gunzip.c +++ b/archival/libarchive/decompress_gunzip.c @@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n, unsigned i; /* counter, current code */ unsigned j; /* counter */ int k; /* number of bits in current code */ - unsigned *p; /* pointer into c[], b[], or v[] */ + const unsigned *p; /* pointer into c[], b[], or v[] */ huft_t *q; /* points to current table */ huft_t r; /* table entry for structure assignment */ huft_t *u[BMAX]; /* table stack */ unsigned v[N_MAX]; /* values in order of bit length */ + unsigned v_end; int ws[BMAX + 1]; /* bits decoded stack */ int w; /* bits decoded */ unsigned x[BMAX + 1]; /* bit offsets, then code stack */ @@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n, /* Generate counts for each bit length */ memset(c, 0, sizeof(c)); - p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */ + p = b; i = n; do { c[*p]++; /* assume all entries <= BMAX */ @@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n, } /* Make a table of values in order of bit lengths */ - p = (unsigned *) b; + p = b; i = 0; + v_end = 0; do { j = *p++; if (j != 0) { v[x[j]++] = i; + v_end = x[j]; } } while (++i < n); @@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n, /* set up table entry in r */ r.b = (unsigned char) (k - w); - if (p >= v + n) { + if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! r.e = 99; /* out of values--invalid code */ } else if (*p < s) { r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests index 8677a0306..ca0a45800 100755 --- a/testsuite/unzip.tests +++ b/testsuite/unzip.tests @@ -7,7 +7,7 @@ . ./testing.sh -# testing "test name" "options" "expected result" "file input" "stdin" +# testing "test name" "commands" "expected result" "file input" "stdin" # file input will be file called "input" # test can create a file "actual" instead of writing to stdout @@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f rmdir foo rm foo.zip +# File containing some damaged encrypted stream +testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ +"Archive: bad.zip + inflating: ]3j½r«IK-%Ix +unzip: inflate error +1 +" \ +"" "\ +begin-base64 644 bad.zip +UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ +eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA +AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA +oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst +JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA +BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW +NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM= +==== +" + +rm * + # Clean up scratch directory. cd ..