From a1870f4807a75663a085c9f5e92870fa7554f0ad Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Sun, 8 Apr 2018 20:45:16 +0200
Subject: [PATCH] unlzma: fix segfault on bad archive

function                                             old     new   delta
unpack_lzma_stream                                  2647    2653      +6

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 archival/libarchive/decompress_unlzma.c |  11 +++++++++++
 testsuite/unlzma.tests                  |  21 +++++++++++++++++++++
 testsuite/unlzma_issue_1.lzma           | Bin 0 -> 171 bytes
 testsuite/unlzma_issue_2.lzma           | Bin 0 -> 261 bytes
 4 files changed, 32 insertions(+)
 create mode 100755 testsuite/unlzma.tests
 create mode 100644 testsuite/unlzma_issue_1.lzma
 create mode 100644 testsuite/unlzma_issue_2.lzma

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index be4342414..80a453806 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -11,6 +11,13 @@
 #include "libbb.h"
 #include "bb_archive.h"
 
+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
+
 #if ENABLE_FEATURE_LZMA_FAST
 #  define speed_inline ALWAYS_INLINE
 #  define size_inline
@@ -417,6 +424,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						for (; num_bits2 != LZMA_NUM_ALIGN_BITS; num_bits2--)
 							rep0 = (rep0 << 1) | rc_direct_bit(rc);
 						rep0 <<= LZMA_NUM_ALIGN_BITS;
+						if ((int32_t)rep0 < 0) {
+							dbg("%d rep0:%d", __LINE__, rep0);
+							goto bad;
+						}
 						prob3 = p + LZMA_ALIGN;
 					}
 					i2 = 1;
diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests
new file mode 100755
index 000000000..0e98afe09
--- /dev/null
+++ b/testsuite/unlzma.tests
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+. ./testing.sh
+
+# testing "test name" "commands" "expected result" "file input" "stdin"
+#   file input will be file called "input"
+#   test can create a file "actual" instead of writing to stdout
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 1)" \
+	"unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+# Damaged encrypted streams
+testing "unlzma (bad archive 2)" \
+	"unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
+"1
+" "" ""
+
+exit $FAILCOUNT
diff --git a/testsuite/unlzma_issue_1.lzma b/testsuite/unlzma_issue_1.lzma
new file mode 100644
index 0000000000000000000000000000000000000000..fb70104bac0577a3aae9fbd9da6c9da8fff5cd10
GIT binary patch
literal 171
zcma!LK!65@|4_hSWMSI9M|ydWiObhN48ML{b`Rb;f6@OhfvKB>bMK1$`gAX(H}ZDZ
zjj0;Bo;#K<@Vev`x%*16?7Xx0#g|^K(fE6q-*#uShQkAHskoI+2Y=tsvN?UQaK#JR
zDZ*b3J{lTX{M6YSXVO)^MBs^yVWZ+T?f(jAH$DHYxx9Vak;aPh@c1~v>p6<EJg0<g
Qv~5vZuF(3w=H+od009eB@&Et;

literal 0
HcmV?d00001

diff --git a/testsuite/unlzma_issue_2.lzma b/testsuite/unlzma_issue_2.lzma
new file mode 100644
index 0000000000000000000000000000000000000000..853f0fc29d53bcb788ed7bf75b1c1d4a349a88f5
GIT binary patch
literal 261
zcmV+g0s8)3000O8000000001h0RR90|NsC0{{S$Hyc?&CG(`3M0Q&gTM^m|<qW|<!
zWwR4)-4y!r-c*fQ<pcAefU-fAW@A3AY|AahYA0+9hyL`1m>u;(%cd!!znifI4kxeL
zdn(1%tM|Po#k>8();PP`hoFF__>|iiO}CL-Oo~!DGBPtWH!?6YHaImjH#apnFgfa}
zEMwb>*p(=4Nw}q;O43eQyVO%1p3UDErPX{W{lgDExq~P`;0qdFsY1c~-)cO|!EvbQ
z9h4LGF!3?EEWKVdig%<C<UBEfA=WGZAWgF8`zxo1mc)U0cUNCt5!Y-Xnn{#Yu|0$$
Lryzy@eCfvy&%1zI

literal 0
HcmV?d00001

-- 
2.25.1