poky/meta/recipes-core/busybox/busybox/CVE-2017-15874.patch

From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 27 Oct 2017 15:37:03 +0200
Subject: [PATCH] unlzma: fix SEGV, closes 10436

Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b]
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
Signed-off-by: Sinan Kaya <okaya@kernel.org>
---
 archival/libarchive/decompress_unlzma.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 29eee2a..41e492f 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						pos = buffer_pos - rep0;
 						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* bug 10436 has an example file where this triggers: */
+							if ((int32_t)pos < 0)
+								goto bad;
+
 							/* see unzip_bad_lzma_2.zip: */
 							if (pos >= buffer_size)
 								goto bad;
-- 
2.19.0