| From 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b Mon Sep 17 00:00:00 2001 |
| From: Denys Vlasenko <vda.linux@googlemail.com> |
| Date: Fri, 27 Oct 2017 15:37:03 +0200 |
| Subject: [PATCH] unlzma: fix SEGV, closes 10436 |
| |
| Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
| Signed-off-by: Baruch Siach <baruch@tkos.co.il> |
| --- |
| Patch status: upstream commit 9ac42c500586f |
| |
| archival/libarchive/decompress_unlzma.c | 6 +++++- |
| 1 file changed, 5 insertions(+), 1 deletion(-) |
| |
| diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c |
| index a9040877efa0..be4342414435 100644 |
| --- a/archival/libarchive/decompress_unlzma.c |
| +++ b/archival/libarchive/decompress_unlzma.c |
| @@ -450,8 +450,12 @@ unpack_lzma_stream(transformer_state_t *xstate) |
| IF_NOT_FEATURE_LZMA_FAST(string:) |
| do { |
| uint32_t pos = buffer_pos - rep0; |
| - if ((int32_t)pos < 0) |
| + if ((int32_t)pos < 0) { |
| pos += header.dict_size; |
| + /* bug 10436 has an example file where this triggers: */ |
| + if ((int32_t)pos < 0) |
| + goto bad; |
| + } |
| previous_byte = buffer[pos]; |
| IF_NOT_FEATURE_LZMA_FAST(one_byte2:) |
| buffer[buffer_pos++] = previous_byte; |
| -- |
| 2.15.1 |
| |
