Annotation of /trunk/busybox/patches/busybox-1.24.1-unzip-regression.patch
Parent Directory | Revision Log
Revision 2755 -
(hide annotations)
(download)
(as text)
Fri Jan 15 14:29:01 2016 UTC (8 years, 4 months ago) by niro
File MIME type: application/octet-stream
File size: 4383 byte(s)
Fri Jan 15 14:29:01 2016 UTC (8 years, 4 months ago) by niro
File MIME type: application/octet-stream
File size: 4383 byte(s)
-busybox-1.24.1 patches
1 | niro | 2755 | From 092fabcf1df5d46cd22be4ffcd3b871f6180eb9c Mon Sep 17 00:00:00 2001 |
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Fri, 30 Oct 2015 23:41:53 +0100 | ||
4 | Subject: [PATCH] [g]unzip: fix recent breakage. | ||
5 | |||
6 | Also, do emit error message we so painstakingly pass from gzip internals | ||
7 | |||
8 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
9 | (cherry picked from commit 6bd3fff51aa74e2ee2d87887b12182a3b09792ef) | ||
10 | Signed-off-by: Mike Frysinger <vapier@gentoo.org> | ||
11 | --- | ||
12 | archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------ | ||
13 | testsuite/unzip.tests | 1 + | ||
14 | 2 files changed, 22 insertions(+), 12 deletions(-) | ||
15 | |||
16 | diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c | ||
17 | index c76fd31..357c9bf 100644 | ||
18 | --- a/archival/libarchive/decompress_gunzip.c | ||
19 | +++ b/archival/libarchive/decompress_gunzip.c | ||
20 | @@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n, | ||
21 | huft_t *q; /* points to current table */ | ||
22 | huft_t r; /* table entry for structure assignment */ | ||
23 | huft_t *u[BMAX]; /* table stack */ | ||
24 | - unsigned v[N_MAX]; /* values in order of bit length */ | ||
25 | - unsigned v_end; | ||
26 | + unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */ | ||
27 | int ws[BMAX + 1]; /* bits decoded stack */ | ||
28 | int w; /* bits decoded */ | ||
29 | unsigned x[BMAX + 1]; /* bit offsets, then code stack */ | ||
30 | @@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n, | ||
31 | *xp++ = j; | ||
32 | } | ||
33 | |||
34 | - /* Make a table of values in order of bit lengths */ | ||
35 | + /* Make a table of values in order of bit lengths. | ||
36 | + * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX. | ||
37 | + * In particular, last v[i] is never filled and must not be accessed. | ||
38 | + */ | ||
39 | + memset(v, 0xff, sizeof(v)); | ||
40 | p = b; | ||
41 | i = 0; | ||
42 | - v_end = 0; | ||
43 | do { | ||
44 | j = *p++; | ||
45 | if (j != 0) { | ||
46 | v[x[j]++] = i; | ||
47 | - v_end = x[j]; | ||
48 | } | ||
49 | } while (++i < n); | ||
50 | |||
51 | @@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n, | ||
52 | |||
53 | /* set up table entry in r */ | ||
54 | r.b = (unsigned char) (k - w); | ||
55 | - if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter! | ||
56 | + if (/*p >= v + n || -- redundant, caught by the second check: */ | ||
57 | + *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/ | ||
58 | + ) { | ||
59 | r.e = 99; /* out of values--invalid code */ | ||
60 | } else if (*p < s) { | ||
61 | r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */ | ||
62 | @@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) | ||
63 | e = t->e; | ||
64 | if (e > 16) | ||
65 | do { | ||
66 | - if (e == 99) | ||
67 | - abort_unzip(PASS_STATE_ONLY);; | ||
68 | + if (e == 99) { | ||
69 | + abort_unzip(PASS_STATE_ONLY); | ||
70 | + } | ||
71 | bb >>= t->b; | ||
72 | k -= t->b; | ||
73 | e -= 16; | ||
74 | @@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY) | ||
75 | e = t->e; | ||
76 | if (e > 16) | ||
77 | do { | ||
78 | - if (e == 99) | ||
79 | + if (e == 99) { | ||
80 | abort_unzip(PASS_STATE_ONLY); | ||
81 | + } | ||
82 | bb >>= t->b; | ||
83 | k -= t->b; | ||
84 | e -= 16; | ||
85 | @@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e) | ||
86 | |||
87 | b_dynamic >>= 4; | ||
88 | k_dynamic -= 4; | ||
89 | - if (nl > 286 || nd > 30) | ||
90 | + if (nl > 286 || nd > 30) { | ||
91 | abort_unzip(PASS_STATE_ONLY); /* bad lengths */ | ||
92 | + } | ||
93 | |||
94 | /* read in bit-length-code lengths */ | ||
95 | for (j = 0; j < nb; j++) { | ||
96 | @@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e) | ||
97 | bl = lbits; | ||
98 | |||
99 | i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl); | ||
100 | - if (i != 0) | ||
101 | + if (i != 0) { | ||
102 | abort_unzip(PASS_STATE_ONLY); | ||
103 | + } | ||
104 | bd = dbits; | ||
105 | i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd); | ||
106 | - if (i != 0) | ||
107 | + if (i != 0) { | ||
108 | abort_unzip(PASS_STATE_ONLY); | ||
109 | + } | ||
110 | |||
111 | /* set up data for inflate_codes() */ | ||
112 | inflate_codes_setup(PASS_STATE bl, bd); | ||
113 | @@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate) | ||
114 | error_msg = "corrupted data"; | ||
115 | if (setjmp(error_jmp)) { | ||
116 | /* Error from deep inside zip machinery */ | ||
117 | + bb_error_msg(error_msg); | ||
118 | n = -1; | ||
119 | goto ret; | ||
120 | } | ||
121 | diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests | ||
122 | index ca0a458..d8738a3 100755 | ||
123 | --- a/testsuite/unzip.tests | ||
124 | +++ b/testsuite/unzip.tests | ||
125 | @@ -34,6 +34,7 @@ rm foo.zip | ||
126 | testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \ | ||
127 | "Archive: bad.zip | ||
128 | inflating: ]3j½r«IK-%Ix | ||
129 | +unzip: corrupted data | ||
130 | unzip: inflate error | ||
131 | 1 | ||
132 | " \ | ||
133 | -- | ||
134 | 2.6.2 | ||
135 |
Properties
Name | Value |
---|---|
svn:mime-type | application/octet-stream |