unlzma: fix SEGV, closes 10436

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index a9040877efa09d1c54082ef6f81e945c2d5e91e7..be43424144355978af29d610c297350637ffafc0 100644 (file)
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -450,8 +450,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
  IF_NOT_FEATURE_LZMA_FAST(string:)
                        do {
                                uint32_t pos = buffer_pos - rep0;
-                               if ((int32_t)pos < 0)
+                               if ((int32_t)pos < 0) {
                                        pos += header.dict_size;
+                                       /* bug 10436 has an example file where this triggers: */
+                                       if ((int32_t)pos < 0)
+                                               goto bad;
+                               }
                                previous_byte = buffer[pos];
  IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
                                buffer[buffer_pos++] = previous_byte;