unzip: test for bad archive SEGVing

function                                             old     new   delta
huft_build                                          1296    1300      +4

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2015-10-26 19:33:05 +01:00
parent d683c5c2f1
commit 1de25a6e87
2 changed files with 29 additions and 5 deletions

View File

@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
unsigned i; /* counter, current code */ unsigned i; /* counter, current code */
unsigned j; /* counter */ unsigned j; /* counter */
int k; /* number of bits in current code */ int k; /* number of bits in current code */
unsigned *p; /* pointer into c[], b[], or v[] */ const unsigned *p; /* pointer into c[], b[], or v[] */
huft_t *q; /* points to current table */ huft_t *q; /* points to current table */
huft_t r; /* table entry for structure assignment */ huft_t r; /* table entry for structure assignment */
huft_t *u[BMAX]; /* table stack */ huft_t *u[BMAX]; /* table stack */
unsigned v[N_MAX]; /* values in order of bit length */ unsigned v[N_MAX]; /* values in order of bit length */
unsigned v_end;
int ws[BMAX + 1]; /* bits decoded stack */ int ws[BMAX + 1]; /* bits decoded stack */
int w; /* bits decoded */ int w; /* bits decoded */
unsigned x[BMAX + 1]; /* bit offsets, then code stack */ unsigned x[BMAX + 1]; /* bit offsets, then code stack */
@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* Generate counts for each bit length */ /* Generate counts for each bit length */
memset(c, 0, sizeof(c)); memset(c, 0, sizeof(c));
p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */ p = b;
i = n; i = n;
do { do {
c[*p]++; /* assume all entries <= BMAX */ c[*p]++; /* assume all entries <= BMAX */
@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
} }
/* Make a table of values in order of bit lengths */ /* Make a table of values in order of bit lengths */
p = (unsigned *) b; p = b;
i = 0; i = 0;
v_end = 0;
do { do {
j = *p++; j = *p++;
if (j != 0) { if (j != 0) {
v[x[j]++] = i; v[x[j]++] = i;
v_end = x[j];
} }
} while (++i < n); } while (++i < n);
@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* set up table entry in r */ /* set up table entry in r */
r.b = (unsigned char) (k - w); r.b = (unsigned char) (k - w);
if (p >= v + n) { if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
r.e = 99; /* out of values--invalid code */ r.e = 99; /* out of values--invalid code */
} else if (*p < s) { } else if (*p < s) {
r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */

View File

@ -7,7 +7,7 @@
. ./testing.sh . ./testing.sh
# testing "test name" "options" "expected result" "file input" "stdin" # testing "test name" "commands" "expected result" "file input" "stdin"
# file input will be file called "input" # file input will be file called "input"
# test can create a file "actual" instead of writing to stdout # test can create a file "actual" instead of writing to stdout
@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
rmdir foo rmdir foo
rm foo.zip rm foo.zip
# File containing some damaged encrypted stream
testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
"Archive: bad.zip
inflating: ]3j½r«IK-%Ix
unzip: inflate error
1
" \
"" "\
begin-base64 644 bad.zip
UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
====
"
rm *
# Clean up scratch directory. # Clean up scratch directory.
cd .. cd ..