| Brad Bishop | bba38f3 | 2018-08-23 16:11:46 +0800 | [diff] [blame] | 1 | From e75c01bb3249df16201b482b79bb24bec3b58188 Mon Sep 17 00:00:00 2001 |
| 2 | From: Denys Vlasenko <vda.linux@googlemail.com> |
| 3 | Date: Fri, 27 Oct 2017 15:37:03 +0200 |
| 4 | Subject: [PATCH] unlzma: fix SEGV, closes 10436 |
| 5 | |
| 6 | Upstream-Status: Backport [ https://git.busybox.net/busybox/commit/?id=9ac42c500586fa5f10a1f6d22c3f797df11b1f6b] |
| 7 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| 8 | Signed-off-by: Sinan Kaya <okaya@kernel.org> |
| 9 | --- |
| 10 | archival/libarchive/decompress_unlzma.c | 4 ++++ |
| 11 | 1 file changed, 4 insertions(+) |
| 12 | |
| 13 | diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c |
| 14 | index 29eee2a..41e492f 100644 |
| 15 | --- a/archival/libarchive/decompress_unlzma.c |
| 16 | +++ b/archival/libarchive/decompress_unlzma.c |
| 17 | @@ -353,6 +353,10 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 18 | pos = buffer_pos - rep0; |
| 19 | if ((int32_t)pos < 0) { |
| 20 | pos += header.dict_size; |
| 21 | + /* bug 10436 has an example file where this triggers: */ |
| 22 | + if ((int32_t)pos < 0) |
| 23 | + goto bad; |
| 24 | + |
| 25 | /* see unzip_bad_lzma_2.zip: */ |
| 26 | if (pos >= buffer_size) |
| 27 | goto bad; |
| 28 | -- |
| 29 | 2.19.0 |
| 30 | |