emo/busybox
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

unlzma: fix SEGV, closes 10436

Browse Source 
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
This commit is contained in:
Denys Vlasenko 2017-10-27 15:37:03 +02:00
parent 0402cb32df
commit 9ac42c5005
1 changed files with 5 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
archival/libarchive/decompress_unlzma.c
View File

@ -450,8 +450,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
IF_NOT_FEATURE_LZMA_FAST(string:) IF_NOT_FEATURE_LZMA_FAST(string:)
do { do {
uint32_t pos = buffer_pos - rep0; uint32_t pos = buffer_pos - rep0;
if ((int32_t)pos < 0) if ((int32_t)pos < 0) {
pos += header.dict_size; pos += header.dict_size;
/* bug 10436 has an example file where this triggers: */
if ((int32_t)pos < 0)
goto bad;
}
previous_byte = buffer[pos]; previous_byte = buffer[pos];
IF_NOT_FEATURE_LZMA_FAST(one_byte2:) IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
buffer[buffer_pos++] = previous_byte; buffer[buffer_pos++] = previous_byte;