unzip: test for bad archive SEGVing

function                                             old     new   delta
huft_build                                          1296    1300      +4

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 7b6f459347a879094f3cb6c444ba312dc70e32fd..30bf451543253b8a053f4b31c51406527acef315 100644 (file)
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
        unsigned i;             /* counter, current code */
        unsigned j;             /* counter */
        int k;                  /* number of bits in current code */
-       unsigned *p;            /* pointer into c[], b[], or v[] */
+       const unsigned *p;      /* pointer into c[], b[], or v[] */
        huft_t *q;              /* points to current table */
        huft_t r;               /* table entry for structure assignment */
        huft_t *u[BMAX];        /* table stack */
        unsigned v[N_MAX];      /* values in order of bit length */
+       unsigned v_end;
        int ws[BMAX + 1];       /* bits decoded stack */
        int w;                  /* bits decoded */
        unsigned x[BMAX + 1];   /* bit offsets, then code stack */
@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
 
        /* Generate counts for each bit length */
        memset(c, 0, sizeof(c));
-       p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
+       p = b;
        i = n;
        do {
                c[*p]++; /* assume all entries <= BMAX */
@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
        }
 
        /* Make a table of values in order of bit lengths */
-       p = (unsigned *) b;
+       p = b;
        i = 0;
+       v_end = 0;
        do {
                j = *p++;
                if (j != 0) {
                        v[x[j]++] = i;
+                       v_end = x[j];
                }
        } while (++i < n);
 
@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
 
                        /* set up table entry in r */
                        r.b = (unsigned char) (k - w);
-                       if (p >= v + n) {
+                       if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
                                r.e = 99; /* out of values--invalid code */
                        } else if (*p < s) {
                                r.e = (unsigned char) (*p < 256 ? 16 : 15);     /* 256 is EOB code */

diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 8677a0306214e099e131cbb97aa344dd8908e1d1..ca0a4580087b0e8ec5fa1c474d8a772ae86c3f9c 100755 (executable)
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -7,7 +7,7 @@
 
 . ./testing.sh
 
-# testing "test name" "options" "expected result" "file input" "stdin"
+# testing "test name" "commands" "expected result" "file input" "stdin"
 #   file input will be file called "input"
 #   test can create a file "actual" instead of writing to stdout
 
@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
 rmdir foo
 rm foo.zip
 
+# File containing some damaged encrypted stream
+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
+"Archive:  bad.zip
+  inflating: ]3j½r«I\e\12K-%Ix
+unzip: inflate error
+1
+" \
+"" "\
+begin-base64 644 bad.zip
+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
+====
+"
+
+rm *
+
 # Clean up scratch directory.
 
 cd ..