| Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | |
| 3 | http://busybox.net/downloads/fixes-1.24.1/ |
| 4 | http://git.busybox.net/busybox/commit/?id=092fabcf1df5d46cd22be4ffcd3b871f6180eb9c |
| 5 | http://git.busybox.net/busybox/commit/?h=1_24_stable&id=092fabcf1df5d46cd22be4ffcd3b871f6180eb9c |
| 6 | |
| 7 | Signed-off-by: Andre McCurdy <armccurdy@gmail.com> |
| 8 | |
| 9 | From 092fabcf1df5d46cd22be4ffcd3b871f6180eb9c Mon Sep 17 00:00:00 2001 |
| 10 | From: Denys Vlasenko <vda.linux@googlemail.com> |
| 11 | Date: Fri, 30 Oct 2015 23:41:53 +0100 |
| 12 | Subject: [PATCH] [g]unzip: fix recent breakage. |
| 13 | |
| 14 | Also, do emit error message we so painstakingly pass from gzip internals |
| 15 | |
| 16 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| 17 | (cherry picked from commit 6bd3fff51aa74e2ee2d87887b12182a3b09792ef) |
| 18 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> |
| 19 | --- |
| 20 | archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------ |
| 21 | testsuite/unzip.tests | 1 + |
| 22 | 2 files changed, 22 insertions(+), 12 deletions(-) |
| 23 | |
| 24 | diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c |
| 25 | index c76fd31..357c9bf 100644 |
| 26 | --- a/archival/libarchive/decompress_gunzip.c |
| 27 | +++ b/archival/libarchive/decompress_gunzip.c |
| 28 | @@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 29 | huft_t *q; /* points to current table */ |
| 30 | huft_t r; /* table entry for structure assignment */ |
| 31 | huft_t *u[BMAX]; /* table stack */ |
| 32 | - unsigned v[N_MAX]; /* values in order of bit length */ |
| 33 | - unsigned v_end; |
| 34 | + unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */ |
| 35 | int ws[BMAX + 1]; /* bits decoded stack */ |
| 36 | int w; /* bits decoded */ |
| 37 | unsigned x[BMAX + 1]; /* bit offsets, then code stack */ |
| 38 | @@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 39 | *xp++ = j; |
| 40 | } |
| 41 | |
| 42 | - /* Make a table of values in order of bit lengths */ |
| 43 | + /* Make a table of values in order of bit lengths. |
| 44 | + * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX. |
| 45 | + * In particular, last v[i] is never filled and must not be accessed. |
| 46 | + */ |
| 47 | + memset(v, 0xff, sizeof(v)); |
| 48 | p = b; |
| 49 | i = 0; |
| 50 | - v_end = 0; |
| 51 | do { |
| 52 | j = *p++; |
| 53 | if (j != 0) { |
| 54 | v[x[j]++] = i; |
| 55 | - v_end = x[j]; |
| 56 | } |
| 57 | } while (++i < n); |
| 58 | |
| 59 | @@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 60 | |
| 61 | /* set up table entry in r */ |
| 62 | r.b = (unsigned char) (k - w); |
| 63 | - if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! |
| 64 | + if (/*p >= v + n || -- redundant, caught by the second check: */ |
| 65 | + *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/ |
| 66 | + ) { |
| 67 | r.e = 99; /* out of values--invalid code */ |
| 68 | } else if (*p < s) { |
| 69 | r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ |
| 70 | @@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) |
| 71 | e = t->e; |
| 72 | if (e > 16) |
| 73 | do { |
| 74 | - if (e == 99) |
| 75 | - abort_unzip(PASS_STATE_ONLY);; |
| 76 | + if (e == 99) { |
| 77 | + abort_unzip(PASS_STATE_ONLY); |
| 78 | + } |
| 79 | bb >>= t->b; |
| 80 | k -= t->b; |
| 81 | e -= 16; |
| 82 | @@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) |
| 83 | e = t->e; |
| 84 | if (e > 16) |
| 85 | do { |
| 86 | - if (e == 99) |
| 87 | + if (e == 99) { |
| 88 | abort_unzip(PASS_STATE_ONLY); |
| 89 | + } |
| 90 | bb >>= t->b; |
| 91 | k -= t->b; |
| 92 | e -= 16; |
| 93 | @@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e) |
| 94 | |
| 95 | b_dynamic >>= 4; |
| 96 | k_dynamic -= 4; |
| 97 | - if (nl > 286 || nd > 30) |
| 98 | + if (nl > 286 || nd > 30) { |
| 99 | abort_unzip(PASS_STATE_ONLY); /* bad lengths */ |
| 100 | + } |
| 101 | |
| 102 | /* read in bit-length-code lengths */ |
| 103 | for (j = 0; j < nb; j++) { |
| 104 | @@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e) |
| 105 | bl = lbits; |
| 106 | |
| 107 | i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl); |
| 108 | - if (i != 0) |
| 109 | + if (i != 0) { |
| 110 | abort_unzip(PASS_STATE_ONLY); |
| 111 | + } |
| 112 | bd = dbits; |
| 113 | i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd); |
| 114 | - if (i != 0) |
| 115 | + if (i != 0) { |
| 116 | abort_unzip(PASS_STATE_ONLY); |
| 117 | + } |
| 118 | |
| 119 | /* set up data for inflate_codes() */ |
| 120 | inflate_codes_setup(PASS_STATE bl, bd); |
| 121 | @@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate) |
| 122 | error_msg = "corrupted data"; |
| 123 | if (setjmp(error_jmp)) { |
| 124 | /* Error from deep inside zip machinery */ |
| 125 | + bb_error_msg(error_msg); |
| 126 | n = -1; |
| 127 | goto ret; |
| 128 | } |
| 129 | diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests |
| 130 | index ca0a458..d8738a3 100755 |
| 131 | --- a/testsuite/unzip.tests |
| 132 | +++ b/testsuite/unzip.tests |
| 133 | @@ -34,6 +34,7 @@ rm foo.zip |
| 134 | testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ |
| 135 | "Archive: bad.zip |
| 136 | inflating: ]3j½r«I��K-%Ix |
| 137 | +unzip: corrupted data |
| 138 | unzip: inflate error |
| 139 | 1 |
| 140 | " \ |
| 141 | -- |
| 142 | 2.6.2 |
| 143 | |