package/busybox/0007-unlzma-fix-SEGV-closes-10436.patch

   1 From 9ac42c500586fa5f10a1f6d22c3f797df11b1f6b Mon Sep 17 00:00:00 2001
   2 From: Denys Vlasenko <vda.linux@googlemail.com>
   3 Date: Fri, 27 Oct 2017 15:37:03 +0200
   4 Subject: [PATCH] unlzma: fix SEGV, closes 10436
   5
   6 Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
   7 Signed-off-by: Baruch Siach <baruch@tkos.co.il>
   8 ---
   9 Patch status: upstream commit 9ac42c500586f
  10
  11  archival/libarchive/decompress_unlzma.c | 6 +++++-
  12  1 file changed, 5 insertions(+), 1 deletion(-)
  13
  14 diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
  15 index a9040877efa0..be4342414435 100644
  16 --- a/archival/libarchive/decompress_unlzma.c
  17 +++ b/archival/libarchive/decompress_unlzma.c
  18 @@ -450,8 +450,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
  19   IF_NOT_FEATURE_LZMA_FAST(string:)
  20                         do {
  21                                 uint32_t pos = buffer_pos - rep0;
  22 -                               if ((int32_t)pos < 0)
  23 +                               if ((int32_t)pos < 0) {
  24                                         pos += header.dict_size;
  25 +                                       /* bug 10436 has an example file where this triggers: */
  26 +                                       if ((int32_t)pos < 0)
  27 +                                               goto bad;
  28 +                               }
  29                                 previous_byte = buffer[pos];
  30   IF_NOT_FEATURE_LZMA_FAST(one_byte2:)
  31                                 buffer[buffer_pos++] = previous_byte;
  32 --
  33 2.15.1
  34