Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 1 | Upstream-Status: Backport |
| 2 | |
| 3 | http://busybox.net/downloads/fixes-1.24.1/ |
| 4 | http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e |
| 5 | http://git.busybox.net/busybox/commit/?h=1_24_stable&id=6767af17f11144c7cd3cfe9ef799d7f89a78fe65 |
| 6 | |
| 7 | Signed-off-by: Andre McCurdy <armccurdy@gmail.com> |
| 8 | |
| 9 | From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001 |
| 10 | From: Denys Vlasenko <vda.linux@googlemail.com> |
| 11 | Date: Mon, 26 Oct 2015 19:33:05 +0100 |
| 12 | Subject: [PATCH] unzip: test for bad archive SEGVing |
| 13 | |
| 14 | function old new delta |
| 15 | huft_build 1296 1300 +4 |
| 16 | |
| 17 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| 18 | --- |
| 19 | archival/libarchive/decompress_gunzip.c | 11 +++++++---- |
| 20 | testsuite/unzip.tests | 23 ++++++++++++++++++++++- |
| 21 | 2 files changed, 29 insertions(+), 5 deletions(-) |
| 22 | |
| 23 | diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c |
| 24 | index 7b6f459..30bf451 100644 |
| 25 | --- a/archival/libarchive/decompress_gunzip.c |
| 26 | +++ b/archival/libarchive/decompress_gunzip.c |
| 27 | @@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 28 | unsigned i; /* counter, current code */ |
| 29 | unsigned j; /* counter */ |
| 30 | int k; /* number of bits in current code */ |
| 31 | - unsigned *p; /* pointer into c[], b[], or v[] */ |
| 32 | + const unsigned *p; /* pointer into c[], b[], or v[] */ |
| 33 | huft_t *q; /* points to current table */ |
| 34 | huft_t r; /* table entry for structure assignment */ |
| 35 | huft_t *u[BMAX]; /* table stack */ |
| 36 | unsigned v[N_MAX]; /* values in order of bit length */ |
| 37 | + unsigned v_end; |
| 38 | int ws[BMAX + 1]; /* bits decoded stack */ |
| 39 | int w; /* bits decoded */ |
| 40 | unsigned x[BMAX + 1]; /* bit offsets, then code stack */ |
| 41 | @@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 42 | |
| 43 | /* Generate counts for each bit length */ |
| 44 | memset(c, 0, sizeof(c)); |
| 45 | - p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */ |
| 46 | + p = b; |
| 47 | i = n; |
| 48 | do { |
| 49 | c[*p]++; /* assume all entries <= BMAX */ |
| 50 | @@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 51 | } |
| 52 | |
| 53 | /* Make a table of values in order of bit lengths */ |
| 54 | - p = (unsigned *) b; |
| 55 | + p = b; |
| 56 | i = 0; |
| 57 | + v_end = 0; |
| 58 | do { |
| 59 | j = *p++; |
| 60 | if (j != 0) { |
| 61 | v[x[j]++] = i; |
| 62 | + v_end = x[j]; |
| 63 | } |
| 64 | } while (++i < n); |
| 65 | |
| 66 | @@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n, |
| 67 | |
| 68 | /* set up table entry in r */ |
| 69 | r.b = (unsigned char) (k - w); |
| 70 | - if (p >= v + n) { |
| 71 | + if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! |
| 72 | r.e = 99; /* out of values--invalid code */ |
| 73 | } else if (*p < s) { |
| 74 | r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ |
| 75 | diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests |
| 76 | index 8677a03..ca0a458 100755 |
| 77 | --- a/testsuite/unzip.tests |
| 78 | +++ b/testsuite/unzip.tests |
| 79 | @@ -7,7 +7,7 @@ |
| 80 | |
| 81 | . ./testing.sh |
| 82 | |
| 83 | -# testing "test name" "options" "expected result" "file input" "stdin" |
| 84 | +# testing "test name" "commands" "expected result" "file input" "stdin" |
| 85 | # file input will be file called "input" |
| 86 | # test can create a file "actual" instead of writing to stdout |
| 87 | |
| 88 | @@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f |
| 89 | rmdir foo |
| 90 | rm foo.zip |
| 91 | |
| 92 | +# File containing some damaged encrypted stream |
| 93 | +testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ |
| 94 | +"Archive: bad.zip |
| 95 | + inflating: ]3j½r«IK-%Ix |
| 96 | +unzip: inflate error |
| 97 | +1 |
| 98 | +" \ |
| 99 | +"" "\ |
| 100 | +begin-base64 644 bad.zip |
| 101 | +UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ |
| 102 | +eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA |
| 103 | +AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA |
| 104 | +oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst |
| 105 | +JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA |
| 106 | +BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW |
| 107 | +NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM= |
| 108 | +==== |
| 109 | +" |
| 110 | + |
| 111 | +rm * |
| 112 | + |
| 113 | # Clean up scratch directory. |
| 114 | |
| 115 | cd .. |
| 116 | -- |
| 117 | 2.6.2 |
| 118 | |