unlzma: close another SEGV possibility

function                                             old     new   delta
unpack_lzma_stream                                  2669    2686     +17

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 446319e7ba8ac2ec1bbeaba51ff8821342be98e4..6886239d0351ddf33a5289dc11454cc9da5411e2 100644 (file)
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
                                                state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
 
                                                pos = buffer_pos - rep0;
-                                               if ((int32_t)pos < 0)
+                                               if ((int32_t)pos < 0) {
                                                        pos += header.dict_size;
+                                                       /* see unzip_bad_lzma_2.zip: */
+                                                       if (pos >= buffer_size)
+                                                               goto bad;
+                                               }
                                                previous_byte = buffer[pos];
                                                goto one_byte1;
 #else

diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 6bcb6b3a234383babaa5c29da0a36a493f01040f..af53de9df048d188e129689c009e943e6a910d7c 100755 (executable)
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -14,7 +14,7 @@
 # Create a scratch directory
 
 mkdir temp
-cd temp || exit 90
+cd temp || exit $?
 
 # Create test file to work with.
 
@@ -54,9 +54,22 @@ SKIP=
 
 rm -f *
 
-optional CONFIG_FEATURE_UNZIP_LZMA
-testing "unzip (archive with corrupted lzma)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 1)" "unzip -p ../unzip_bad_lzma_1.zip 2>&1; echo \$?" \
 "unzip: removing leading '/' from member names
+unzip: corrupted data
+unzip: inflate error
+1
+" \
+"" ""
+SKIP=
+
+rm -f *
+
+optional FEATURE_UNZIP_LZMA
+testing "unzip (archive with corrupted lzma 2)" "unzip -p ../unzip_bad_lzma_2.zip 2>&1; echo \$?" \
+"unzip: removing leading '/' from member names
+unzip: corrupted data
 unzip: inflate error
 1
 " \

diff --git a/testsuite/unzip_bad_lzma_2.zip b/testsuite/unzip_bad_lzma_2.zip
new file mode 100644 (file)
index 0000000..cdb9170
Binary files /dev/null and b/testsuite/unzip_bad_lzma_2.zip differ