unlzma: fix segfault on bad archive

function old new delta unpack_lzma_stream 2647 2653 +6 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2018-04-08 20:45:16 +02:00 · 2018-04-08 20:45:16 +02:00 · a1870f4807
commit a1870f4807
parent 38ccd6af8a
4 changed files with 32 additions and 0 deletions
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@ -11,6 +11,13 @@
 #include "libbb.h"
 #include "bb_archive.h"

+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+
 #if ENABLE_FEATURE_LZMA_FAST
 #  define speed_inline ALWAYS_INLINE
 #  define size_inline
@ -417,6 +424,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
 						rep0 <<= LZMA_NUM_ALIGN_BITS;
+						if ((int32_t)rep0 < 0) {
+							dbg("%d rep0:%d", __LINE__, rep0);
+							goto bad;
+						}
 						prob3 = p + LZMA_ALIGN;
 					}
 					i2 = 1;
--- a/testsuite/unlzma.tests
+++ b/testsuite/unlzma.tests
@ -0,0 +1,21 @@
+#!/bin/sh
+
+. ./testing.sh
+
+# testing "test name" "commands" "expected result" "file input" "stdin"
+#   file input will be file called "input"
+#   test can create a file "actual" instead of writing to stdout
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 1)" \
+	"unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 2)" \
+	"unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+exit $FAILCOUNT
--- a/testsuite/unlzma_issue_1.lzma
+++ b/testsuite/unlzma_issue_1.lzma
--- a/testsuite/unlzma_issue_2.lzma
+++ b/testsuite/unlzma_issue_2.lzma