Denys Vlasenko 04f052c56d unlzma: fix a case where we could read before beginning of buffer
Testcase:

  21 01 01 00 00 00 00 00 e7 01 01 01 ef 00 df b6
  00 17 02 10 11 0f ff 00 16 00 00

Unfortunately, the bug is not reliably causing a segfault,
the behavior depends on what's in memory before the buffer.

function                                             old     new   delta
unpack_lzma_stream                                  2762    2768      +6

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
2021-06-15 15:14:00 +02:00

528 lines
14 KiB
C

/* vi: set sw=4 ts=4: */
/*
* Small lzma deflate implementation.
* Copyright (C) 2006 Aurelien Jacobs <aurel@gnuage.org>
*
* Based on LzmaDecode.c from the LZMA SDK 4.22 (http://www.7-zip.org/)
* Copyright (C) 1999-2005 Igor Pavlov
*
* Licensed under GPLv2 or later, see file LICENSE in this source tree.
*/
#include "libbb.h"
#include "bb_archive.h"
#if 0
# define dbg(...) bb_error_msg(__VA_ARGS__)
#else
# define dbg(...) ((void)0)
#endif
#if ENABLE_FEATURE_LZMA_FAST
# define speed_inline ALWAYS_INLINE
# define size_inline
#else
# define speed_inline
# define size_inline ALWAYS_INLINE
#endif
typedef struct {
int fd;
uint8_t *ptr;
/* Was keeping rc on stack in unlzma and separately allocating buffer,
* but with "buffer 'attached to' allocated rc" code is smaller: */
/* uint8_t *buffer; */
#define RC_BUFFER ((uint8_t*)(rc+1))
uint8_t *buffer_end;
/* Had provisions for variable buffer, but we don't need it here */
/* int buffer_size; */
#define RC_BUFFER_SIZE 0x10000
uint32_t code;
uint32_t range;
uint32_t bound;
} rc_t;
#define RC_TOP_BITS 24
#define RC_MOVE_BITS 5
#define RC_MODEL_TOTAL_BITS 11
/* Called once in rc_do_normalize() */
static void rc_read(rc_t *rc)
{
int buffer_size = safe_read(rc->fd, RC_BUFFER, RC_BUFFER_SIZE);
//TODO: return -1 instead
//This will make unlzma delete broken unpacked file on unpack errors
if (buffer_size <= 0)
bb_simple_error_msg_and_die("unexpected EOF");
rc->buffer_end = RC_BUFFER + buffer_size;
rc->ptr = RC_BUFFER;
}
/* Called twice, but one callsite is in speed_inline'd rc_is_bit_1() */
static void rc_do_normalize(rc_t *rc)
{
if (rc->ptr >= rc->buffer_end)
rc_read(rc);
rc->range <<= 8;
rc->code = (rc->code << 8) | *rc->ptr++;
}
static ALWAYS_INLINE void rc_normalize(rc_t *rc)
{
if (rc->range < (1 << RC_TOP_BITS)) {
rc_do_normalize(rc);
}
}
/* Called once */
static ALWAYS_INLINE rc_t* rc_init(int fd) /*, int buffer_size) */
{
int i;
rc_t *rc;
rc = xzalloc(sizeof(*rc) + RC_BUFFER_SIZE);
rc->fd = fd;
/* rc->ptr = rc->buffer_end; */
for (i = 0; i < 5; i++) {
rc_do_normalize(rc);
}
rc->range = 0xffffffff;
return rc;
}
/* Called once */
static ALWAYS_INLINE void rc_free(rc_t *rc)
{
free(rc);
}
/* rc_is_bit_1 is called 9 times */
static speed_inline int rc_is_bit_1(rc_t *rc, uint16_t *p)
{
rc_normalize(rc);
rc->bound = *p * (rc->range >> RC_MODEL_TOTAL_BITS);
if (rc->code < rc->bound) {
rc->range = rc->bound;
*p += ((1 << RC_MODEL_TOTAL_BITS) - *p) >> RC_MOVE_BITS;
return 0;
}
rc->range -= rc->bound;
rc->code -= rc->bound;
*p -= *p >> RC_MOVE_BITS;
return 1;
}
/* Called 4 times in unlzma loop */
static ALWAYS_INLINE int rc_get_bit(rc_t *rc, uint16_t *p, int *symbol)
{
int ret = rc_is_bit_1(rc, p);
*symbol = *symbol * 2 + ret;
return ret;
}
/* Called once */
static ALWAYS_INLINE int rc_direct_bit(rc_t *rc)
{
rc_normalize(rc);
rc->range >>= 1;
if (rc->code >= rc->range) {
rc->code -= rc->range;
return 1;
}
return 0;
}
/* Called twice */
static speed_inline void
rc_bit_tree_decode(rc_t *rc, uint16_t *p, int num_levels, int *symbol)
{
int i = num_levels;
*symbol = 1;
while (i--)
rc_get_bit(rc, p + *symbol, symbol);
*symbol -= 1 << num_levels;
}
typedef struct {
uint8_t pos;
uint32_t dict_size;
uint64_t dst_size;
} PACKED lzma_header_t;
/* #defines will force compiler to compute/optimize each one with each usage.
* Have heart and use enum instead. */
enum {
LZMA_BASE_SIZE = 1846,
LZMA_LIT_SIZE = 768,
LZMA_NUM_POS_BITS_MAX = 4,
LZMA_LEN_NUM_LOW_BITS = 3,
LZMA_LEN_NUM_MID_BITS = 3,
LZMA_LEN_NUM_HIGH_BITS = 8,
LZMA_LEN_CHOICE = 0,
LZMA_LEN_CHOICE_2 = (LZMA_LEN_CHOICE + 1),
LZMA_LEN_LOW = (LZMA_LEN_CHOICE_2 + 1),
LZMA_LEN_MID = (LZMA_LEN_LOW \
+ (1 << (LZMA_NUM_POS_BITS_MAX + LZMA_LEN_NUM_LOW_BITS))),
LZMA_LEN_HIGH = (LZMA_LEN_MID \
+ (1 << (LZMA_NUM_POS_BITS_MAX + LZMA_LEN_NUM_MID_BITS))),
LZMA_NUM_LEN_PROBS = (LZMA_LEN_HIGH + (1 << LZMA_LEN_NUM_HIGH_BITS)),
LZMA_NUM_STATES = 12,
LZMA_NUM_LIT_STATES = 7,
LZMA_START_POS_MODEL_INDEX = 4,
LZMA_END_POS_MODEL_INDEX = 14,
LZMA_NUM_FULL_DISTANCES = (1 << (LZMA_END_POS_MODEL_INDEX >> 1)),
LZMA_NUM_POS_SLOT_BITS = 6,
LZMA_NUM_LEN_TO_POS_STATES = 4,
LZMA_NUM_ALIGN_BITS = 4,
LZMA_MATCH_MIN_LEN = 2,
LZMA_IS_MATCH = 0,
LZMA_IS_REP = (LZMA_IS_MATCH + (LZMA_NUM_STATES << LZMA_NUM_POS_BITS_MAX)),
LZMA_IS_REP_G0 = (LZMA_IS_REP + LZMA_NUM_STATES),
LZMA_IS_REP_G1 = (LZMA_IS_REP_G0 + LZMA_NUM_STATES),
LZMA_IS_REP_G2 = (LZMA_IS_REP_G1 + LZMA_NUM_STATES),
LZMA_IS_REP_0_LONG = (LZMA_IS_REP_G2 + LZMA_NUM_STATES),
LZMA_POS_SLOT = (LZMA_IS_REP_0_LONG \
+ (LZMA_NUM_STATES << LZMA_NUM_POS_BITS_MAX)),
LZMA_SPEC_POS = (LZMA_POS_SLOT \
+ (LZMA_NUM_LEN_TO_POS_STATES << LZMA_NUM_POS_SLOT_BITS)),
LZMA_ALIGN = (LZMA_SPEC_POS \
+ LZMA_NUM_FULL_DISTANCES - LZMA_END_POS_MODEL_INDEX),
LZMA_LEN_CODER = (LZMA_ALIGN + (1 << LZMA_NUM_ALIGN_BITS)),
LZMA_REP_LEN_CODER = (LZMA_LEN_CODER + LZMA_NUM_LEN_PROBS),
LZMA_LITERAL = (LZMA_REP_LEN_CODER + LZMA_NUM_LEN_PROBS),
};
IF_DESKTOP(long long) int FAST_FUNC
unpack_lzma_stream(transformer_state_t *xstate)
{
IF_DESKTOP(long long total_written = 0;)
lzma_header_t header;
int lc, pb, lp;
uint32_t pos_state_mask;
uint32_t literal_pos_mask;
uint16_t *p;
rc_t *rc;
int i;
uint8_t *buffer;
uint32_t buffer_size;
uint8_t previous_byte = 0;
size_t buffer_pos = 0, global_pos = 0;
int len = 0;
int state = 0;
uint32_t rep0 = 1, rep1 = 1, rep2 = 1, rep3 = 1;
if (full_read(xstate->src_fd, &header, sizeof(header)) != sizeof(header)
|| header.pos >= (9 * 5 * 5)
) {
bb_simple_error_msg("bad lzma header");
return -1;
}
i = header.pos / 9;
lc = header.pos % 9;
pb = i / 5;
lp = i % 5;
pos_state_mask = (1 << pb) - 1;
literal_pos_mask = (1 << lp) - 1;
/* Example values from linux-3.3.4.tar.lzma:
* dict_size: 64M, dst_size: 2^64-1
*/
header.dict_size = SWAP_LE32(header.dict_size);
header.dst_size = SWAP_LE64(header.dst_size);
if (header.dict_size == 0)
header.dict_size++;
buffer_size = MIN(header.dst_size, header.dict_size);
buffer = xmalloc(buffer_size);
{
int num_probs;
num_probs = LZMA_BASE_SIZE + (LZMA_LIT_SIZE << (lc + lp));
p = xmalloc(num_probs * sizeof(*p));
num_probs += LZMA_LITERAL - LZMA_BASE_SIZE;
for (i = 0; i < num_probs; i++)
p[i] = (1 << RC_MODEL_TOTAL_BITS) >> 1;
}
rc = rc_init(xstate->src_fd); /*, RC_BUFFER_SIZE); */
while (global_pos + buffer_pos < header.dst_size) {
int pos_state = (buffer_pos + global_pos) & pos_state_mask;
uint16_t *prob = p + LZMA_IS_MATCH + (state << LZMA_NUM_POS_BITS_MAX) + pos_state;
if (!rc_is_bit_1(rc, prob)) {
static const char next_state[LZMA_NUM_STATES] =
{ 0, 0, 0, 0, 1, 2, 3, 4, 5, 6, 4, 5 };
int mi = 1;
prob = (p + LZMA_LITERAL
+ (LZMA_LIT_SIZE * ((((buffer_pos + global_pos) & literal_pos_mask) << lc)
+ (previous_byte >> (8 - lc))
)
)
);
if (state >= LZMA_NUM_LIT_STATES) {
int match_byte;
uint32_t pos;
pos = buffer_pos - rep0;
if ((int32_t)pos < 0) {
pos += header.dict_size;
if ((int32_t)pos < 0)
goto bad;
}
match_byte = buffer[pos];
do {
int bit;
match_byte <<= 1;
bit = match_byte & 0x100;
bit ^= (rc_get_bit(rc, prob + 0x100 + bit + mi, &mi) << 8); /* 0x100 or 0 */
if (bit)
break;
} while (mi < 0x100);
}
while (mi < 0x100) {
rc_get_bit(rc, prob + mi, &mi);
}
state = next_state[state];
previous_byte = (uint8_t) mi;
#if ENABLE_FEATURE_LZMA_FAST
one_byte1:
buffer[buffer_pos++] = previous_byte;
if (buffer_pos == header.dict_size) {
buffer_pos = 0;
global_pos += header.dict_size;
if (transformer_write(xstate, buffer, header.dict_size) != (ssize_t)header.dict_size)
goto bad;
IF_DESKTOP(total_written += header.dict_size;)
}
#else
len = 1;
goto one_byte2;
#endif
} else {
int num_bits;
int offset;
uint16_t *prob2;
#define prob_len prob2
prob2 = p + LZMA_IS_REP + state;
if (!rc_is_bit_1(rc, prob2)) {
rep3 = rep2;
rep2 = rep1;
rep1 = rep0;
state = state < LZMA_NUM_LIT_STATES ? 0 : 3;
prob2 = p + LZMA_LEN_CODER;
} else {
prob2 += LZMA_IS_REP_G0 - LZMA_IS_REP;
if (!rc_is_bit_1(rc, prob2)) {
prob2 = (p + LZMA_IS_REP_0_LONG
+ (state << LZMA_NUM_POS_BITS_MAX)
+ pos_state
);
if (!rc_is_bit_1(rc, prob2)) {
#if ENABLE_FEATURE_LZMA_FAST
uint32_t pos;
state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
pos = buffer_pos - rep0;
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* see unzip_bad_lzma_2.zip: */
if (pos >= buffer_size) {
dbg("%d pos:%d buffer_size:%d", __LINE__, pos, buffer_size);
goto bad;
}
}
previous_byte = buffer[pos];
goto one_byte1;
#else
state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
len = 1;
goto string;
#endif
}
} else {
uint32_t distance;
prob2 += LZMA_IS_REP_G1 - LZMA_IS_REP_G0;
distance = rep1;
if (rc_is_bit_1(rc, prob2)) {
prob2 += LZMA_IS_REP_G2 - LZMA_IS_REP_G1;
distance = rep2;
if (rc_is_bit_1(rc, prob2)) {
distance = rep3;
rep3 = rep2;
}
rep2 = rep1;
}
rep1 = rep0;
rep0 = distance;
}
state = state < LZMA_NUM_LIT_STATES ? 8 : 11;
prob2 = p + LZMA_REP_LEN_CODER;
}
prob_len = prob2 + LZMA_LEN_CHOICE;
num_bits = LZMA_LEN_NUM_LOW_BITS;
if (!rc_is_bit_1(rc, prob_len)) {
prob_len += LZMA_LEN_LOW - LZMA_LEN_CHOICE
+ (pos_state << LZMA_LEN_NUM_LOW_BITS);
offset = 0;
} else {
prob_len += LZMA_LEN_CHOICE_2 - LZMA_LEN_CHOICE;
if (!rc_is_bit_1(rc, prob_len)) {
prob_len += LZMA_LEN_MID - LZMA_LEN_CHOICE_2
+ (pos_state << LZMA_LEN_NUM_MID_BITS);
offset = 1 << LZMA_LEN_NUM_LOW_BITS;
num_bits += LZMA_LEN_NUM_MID_BITS - LZMA_LEN_NUM_LOW_BITS;
} else {
prob_len += LZMA_LEN_HIGH - LZMA_LEN_CHOICE_2;
offset = ((1 << LZMA_LEN_NUM_LOW_BITS)
+ (1 << LZMA_LEN_NUM_MID_BITS));
num_bits += LZMA_LEN_NUM_HIGH_BITS - LZMA_LEN_NUM_LOW_BITS;
}
}
rc_bit_tree_decode(rc, prob_len, num_bits, &len);
len += offset;
if (state < 4) {
int pos_slot;
uint16_t *prob3;
state += LZMA_NUM_LIT_STATES;
prob3 = p + LZMA_POS_SLOT +
((len < LZMA_NUM_LEN_TO_POS_STATES ? len :
LZMA_NUM_LEN_TO_POS_STATES - 1)
<< LZMA_NUM_POS_SLOT_BITS);
rc_bit_tree_decode(rc, prob3,
LZMA_NUM_POS_SLOT_BITS, &pos_slot);
rep0 = pos_slot;
if (pos_slot >= LZMA_START_POS_MODEL_INDEX) {
int i2, mi2, num_bits2 = (pos_slot >> 1) - 1;
rep0 = 2 | (pos_slot & 1);
if (pos_slot < LZMA_END_POS_MODEL_INDEX) {
rep0 <<= num_bits2;
prob3 = p + LZMA_SPEC_POS + rep0 - pos_slot - 1;
} else {
for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
rep0 = (rep0 << 1) | rc_direct_bit(rc);
rep0 <<= LZMA_NUM_ALIGN_BITS;
// Note: (int32_t)rep0 may be < 0 here
// (I have linux-3.3.4.tar.lzma which has it).
// I moved the check after "++rep0 == 0" check below.
prob3 = p + LZMA_ALIGN;
}
i2 = 1;
mi2 = 1;
while (num_bits2--) {
if (rc_get_bit(rc, prob3 + mi2, &mi2))
rep0 |= i2;
i2 <<= 1;
}
}
rep0++;
if ((int32_t)rep0 <= 0) {
if (rep0 == 0)
break;
dbg("%d rep0:%d", __LINE__, rep0);
goto bad;
}
}
len += LZMA_MATCH_MIN_LEN;
/*
* LZMA SDK has this optimized:
* it precalculates size and copies many bytes
* in a loop with simpler checks, a-la:
* do
* *(dest) = *(dest + ofs);
* while (++dest != lim);
* and
* do {
* buffer[buffer_pos++] = buffer[pos];
* if (++pos == header.dict_size)
* pos = 0;
* } while (--cur_len != 0);
* Our code is slower (more checks per byte copy):
*/
IF_NOT_FEATURE_LZMA_FAST(string:)
do {
uint32_t pos = buffer_pos - rep0;
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* bug 10436 has an example file where this triggers: */
//if ((int32_t)pos < 0)
// goto bad;
/* more stringent test (see unzip_bad_lzma_1.zip): */
if (pos >= buffer_size)
goto bad;
}
previous_byte = buffer[pos];
IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
buffer[buffer_pos++] = previous_byte;
if (buffer_pos == header.dict_size) {
buffer_pos = 0;
global_pos += header.dict_size;
if (transformer_write(xstate, buffer, header.dict_size) != (ssize_t)header.dict_size)
goto bad;
IF_DESKTOP(total_written += header.dict_size;)
}
len--;
} while (len != 0 && buffer_pos < header.dst_size);
/* FIXME: ...........^^^^^
* shouldn't it be "global_pos + buffer_pos < header.dst_size"?
* It probably should, but it is a "do we accidentally
* unpack more bytes than expected?" check - which
* never happens for well-formed compression data...
*/
}
}
{
IF_NOT_DESKTOP(int total_written = 0; /* success */)
IF_DESKTOP(total_written += buffer_pos;)
if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) {
bad:
/* One of our users, bbunpack(), expects _us_ to emit
* the error message (since it's the best place to give
* potentially more detailed information).
* Do not fail silently.
*/
bb_simple_error_msg("corrupted data");
total_written = -1; /* failure */
}
rc_free(rc);
free(p);
free(buffer);
return total_written;
}
}