Contents of /trunk/busybox/patches/busybox-1.24.1-unzip-regression.patch
Parent Directory | Revision Log
Revision 2755 -
(show annotations)
(download)
(as text)
Fri Jan 15 14:29:01 2016 UTC (8 years, 8 months ago) by niro
File MIME type: application/octet-stream
File size: 4383 byte(s)
Fri Jan 15 14:29:01 2016 UTC (8 years, 8 months ago) by niro
File MIME type: application/octet-stream
File size: 4383 byte(s)
-busybox-1.24.1 patches
1 | From 092fabcf1df5d46cd22be4ffcd3b871f6180eb9c Mon Sep 17 00:00:00 2001 |
2 | From: Denys Vlasenko <vda.linux@googlemail.com> |
3 | Date: Fri, 30 Oct 2015 23:41:53 +0100 |
4 | Subject: [PATCH] [g]unzip: fix recent breakage. |
5 | |
6 | Also, do emit error message we so painstakingly pass from gzip internals |
7 | |
8 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> |
9 | (cherry picked from commit 6bd3fff51aa74e2ee2d87887b12182a3b09792ef) |
10 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> |
11 | --- |
12 | archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------ |
13 | testsuite/unzip.tests | 1 + |
14 | 2 files changed, 22 insertions(+), 12 deletions(-) |
15 | |
16 | diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c |
17 | index c76fd31..357c9bf 100644 |
18 | --- a/archival/libarchive/decompress_gunzip.c |
19 | +++ b/archival/libarchive/decompress_gunzip.c |
20 | @@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n, |
21 | huft_t *q; /* points to current table */ |
22 | huft_t r; /* table entry for structure assignment */ |
23 | huft_t *u[BMAX]; /* table stack */ |
24 | - unsigned v[N_MAX]; /* values in order of bit length */ |
25 | - unsigned v_end; |
26 | + unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */ |
27 | int ws[BMAX + 1]; /* bits decoded stack */ |
28 | int w; /* bits decoded */ |
29 | unsigned x[BMAX + 1]; /* bit offsets, then code stack */ |
30 | @@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n, |
31 | *xp++ = j; |
32 | } |
33 | |
34 | - /* Make a table of values in order of bit lengths */ |
35 | + /* Make a table of values in order of bit lengths. |
36 | + * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX. |
37 | + * In particular, last v[i] is never filled and must not be accessed. |
38 | + */ |
39 | + memset(v, 0xff, sizeof(v)); |
40 | p = b; |
41 | i = 0; |
42 | - v_end = 0; |
43 | do { |
44 | j = *p++; |
45 | if (j != 0) { |
46 | v[x[j]++] = i; |
47 | - v_end = x[j]; |
48 | } |
49 | } while (++i < n); |
50 | |
51 | @@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n, |
52 | |
53 | /* set up table entry in r */ |
54 | r.b = (unsigned char) (k - w); |
55 | - if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! |
56 | + if (/*p >= v + n || -- redundant, caught by the second check: */ |
57 | + *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/ |
58 | + ) { |
59 | r.e = 99; /* out of values--invalid code */ |
60 | } else if (*p < s) { |
61 | r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ |
62 | @@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) |
63 | e = t->e; |
64 | if (e > 16) |
65 | do { |
66 | - if (e == 99) |
67 | - abort_unzip(PASS_STATE_ONLY);; |
68 | + if (e == 99) { |
69 | + abort_unzip(PASS_STATE_ONLY); |
70 | + } |
71 | bb >>= t->b; |
72 | k -= t->b; |
73 | e -= 16; |
74 | @@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) |
75 | e = t->e; |
76 | if (e > 16) |
77 | do { |
78 | - if (e == 99) |
79 | + if (e == 99) { |
80 | abort_unzip(PASS_STATE_ONLY); |
81 | + } |
82 | bb >>= t->b; |
83 | k -= t->b; |
84 | e -= 16; |
85 | @@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e) |
86 | |
87 | b_dynamic >>= 4; |
88 | k_dynamic -= 4; |
89 | - if (nl > 286 || nd > 30) |
90 | + if (nl > 286 || nd > 30) { |
91 | abort_unzip(PASS_STATE_ONLY); /* bad lengths */ |
92 | + } |
93 | |
94 | /* read in bit-length-code lengths */ |
95 | for (j = 0; j < nb; j++) { |
96 | @@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e) |
97 | bl = lbits; |
98 | |
99 | i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl); |
100 | - if (i != 0) |
101 | + if (i != 0) { |
102 | abort_unzip(PASS_STATE_ONLY); |
103 | + } |
104 | bd = dbits; |
105 | i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd); |
106 | - if (i != 0) |
107 | + if (i != 0) { |
108 | abort_unzip(PASS_STATE_ONLY); |
109 | + } |
110 | |
111 | /* set up data for inflate_codes() */ |
112 | inflate_codes_setup(PASS_STATE bl, bd); |
113 | @@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate) |
114 | error_msg = "corrupted data"; |
115 | if (setjmp(error_jmp)) { |
116 | /* Error from deep inside zip machinery */ |
117 | + bb_error_msg(error_msg); |
118 | n = -1; |
119 | goto ret; |
120 | } |
121 | diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests |
122 | index ca0a458..d8738a3 100755 |
123 | --- a/testsuite/unzip.tests |
124 | +++ b/testsuite/unzip.tests |
125 | @@ -34,6 +34,7 @@ rm foo.zip |
126 | testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ |
127 | "Archive: bad.zip |
128 | inflating: ]3j½r«IK-%Ix |
129 | +unzip: corrupted data |
130 | unzip: inflate error |
131 | 1 |
132 | " \ |
133 | -- |
134 | 2.6.2 |
135 |
Properties
Name | Value |
---|---|
svn:mime-type | application/octet-stream |