Brad Bishop | d5ae7d9 | 2018-06-14 09:52:03 -0700 | [diff] [blame] | 1 | busybox-1.27.2: Fix lzma segfaults |
| 2 | |
| 3 | [No upstream tracking] -- https://bugs.busybox.net/show_bug.cgi?id=10871 |
| 4 | |
| 5 | libarchive: check buffer index in lzma_decompress |
| 6 | |
| 7 | With specific defconfig busybox fails to check zip fileheader magic |
| 8 | (archival/unzip.c) and uses (archival/libarchive/decompress_unlzma.c) |
| 9 | for decompression which leads to segmentation fault. It prevents accessing into |
| 10 | buffer, which is smaller than pos index. Patch includes multiple segmentation |
| 11 | fault fixes. |
| 12 | |
| 13 | Upstream-Status: Backport [https://git.busybox.net/busybox/commit/?id=a36986bb80289c1cd8d15a557e49207c9a42946b] |
| 14 | bug: 10436 10871 |
| 15 | Signed-off-by: Andrej Valek <andrej.valek@siemens.com> |
| 16 | |
| 17 | diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c |
| 18 | index a904087..29eee2a 100644 |
| 19 | --- a/archival/libarchive/decompress_unlzma.c |
| 20 | +++ b/archival/libarchive/decompress_unlzma.c |
| 21 | @@ -11,6 +11,14 @@ |
| 22 | #include "libbb.h" |
| 23 | #include "bb_archive.h" |
| 24 | |
| 25 | + |
| 26 | +#if 0 |
| 27 | +# define dbg(...) bb_error_msg(__VA_ARGS__) |
| 28 | +#else |
| 29 | +# define dbg(...) ((void)0) |
| 30 | +#endif |
| 31 | + |
| 32 | + |
| 33 | #if ENABLE_FEATURE_LZMA_FAST |
| 34 | # define speed_inline ALWAYS_INLINE |
| 35 | # define size_inline |
| 36 | @@ -217,6 +225,7 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 37 | rc_t *rc; |
| 38 | int i; |
| 39 | uint8_t *buffer; |
| 40 | + uint32_t buffer_size; |
| 41 | uint8_t previous_byte = 0; |
| 42 | size_t buffer_pos = 0, global_pos = 0; |
| 43 | int len = 0; |
| 44 | @@ -246,7 +255,8 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 45 | if (header.dict_size == 0) |
| 46 | header.dict_size++; |
| 47 | |
| 48 | - buffer = xmalloc(MIN(header.dst_size, header.dict_size)); |
| 49 | + buffer_size = MIN(header.dst_size, header.dict_size); |
| 50 | + buffer = xmalloc(buffer_size); |
| 51 | |
| 52 | { |
| 53 | int num_probs; |
| 54 | @@ -341,8 +351,12 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 55 | state = state < LZMA_NUM_LIT_STATES ? 9 : 11; |
| 56 | |
| 57 | pos = buffer_pos - rep0; |
| 58 | - if ((int32_t)pos < 0) |
| 59 | + if ((int32_t)pos < 0) { |
| 60 | pos += header.dict_size; |
| 61 | + /* see unzip_bad_lzma_2.zip: */ |
| 62 | + if (pos >= buffer_size) |
| 63 | + goto bad; |
| 64 | + } |
| 65 | previous_byte = buffer[pos]; |
| 66 | goto one_byte1; |
| 67 | #else |
| 68 | @@ -417,6 +431,10 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 69 | for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--) |
| 70 | rep0 = (rep0 << 1) | rc_direct_bit(rc); |
| 71 | rep0 <<= LZMA_NUM_ALIGN_BITS; |
| 72 | + if ((int32_t)rep0 < 0) { |
| 73 | + dbg("%d rep0:%d", __LINE__, rep0); |
| 74 | + goto bad; |
| 75 | + } |
| 76 | prob3 = p + LZMA_ALIGN; |
| 77 | } |
| 78 | i2 = 1; |
| 79 | @@ -450,8 +468,12 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 80 | IF_NOT_FEATURE_LZMA_FAST(string:) |
| 81 | do { |
| 82 | uint32_t pos = buffer_pos - rep0; |
| 83 | - if ((int32_t)pos < 0) |
| 84 | + if ((int32_t)pos < 0) { |
| 85 | pos += header.dict_size; |
| 86 | + /* more stringent test (see unzip_bad_lzma_1.zip): */ |
| 87 | + if (pos >= buffer_size) |
| 88 | + goto bad; |
| 89 | + } |
| 90 | previous_byte = buffer[pos]; |
| 91 | IF_NOT_FEATURE_LZMA_FAST(one_byte2:) |
| 92 | buffer[buffer_pos++] = previous_byte; |
| 93 | @@ -478,6 +500,12 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| 94 | IF_DESKTOP(total_written += buffer_pos;) |
| 95 | if (transformer_write(xstate, buffer, buffer_pos) != (ssize_t)buffer_pos) { |
| 96 | bad: |
| 97 | + /* One of our users, bbunpack(), expects _us_ to emit |
| 98 | + * the error message (since it's the best place to give |
| 99 | + * potentially more detailed information). |
| 100 | + * Do not fail silently. |
| 101 | + */ |
| 102 | + bb_error_msg("corrupted data"); |
| 103 | total_written = -1; /* failure */ |
| 104 | } |
| 105 | rc_free(rc); |
| 106 | |