1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
|
Upstream-Status: Backport
http://busybox.net/downloads/fixes-1.24.1/
http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
http://git.busybox.net/busybox/commit/?h=1_24_stable&id=6767af17f11144c7cd3cfe9ef799d7f89a78fe65
Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Mon, 26 Oct 2015 19:33:05 +0100
Subject: [PATCH] unzip: test for bad archive SEGVing
function old new delta
huft_build 1296 1300 +4
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
archival/libarchive/decompress_gunzip.c | 11 +++++++----
testsuite/unzip.tests | 23 ++++++++++++++++++++++-
2 files changed, 29 insertions(+), 5 deletions(-)
diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
index 7b6f459..30bf451 100644
--- a/archival/libarchive/decompress_gunzip.c
+++ b/archival/libarchive/decompress_gunzip.c
@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
unsigned i; /* counter, current code */
unsigned j; /* counter */
int k; /* number of bits in current code */
- unsigned *p; /* pointer into c[], b[], or v[] */
+ const unsigned *p; /* pointer into c[], b[], or v[] */
huft_t *q; /* points to current table */
huft_t r; /* table entry for structure assignment */
huft_t *u[BMAX]; /* table stack */
unsigned v[N_MAX]; /* values in order of bit length */
+ unsigned v_end;
int ws[BMAX + 1]; /* bits decoded stack */
int w; /* bits decoded */
unsigned x[BMAX + 1]; /* bit offsets, then code stack */
@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* Generate counts for each bit length */
memset(c, 0, sizeof(c));
- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
+ p = b;
i = n;
do {
c[*p]++; /* assume all entries <= BMAX */
@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
}
/* Make a table of values in order of bit lengths */
- p = (unsigned *) b;
+ p = b;
i = 0;
+ v_end = 0;
do {
j = *p++;
if (j != 0) {
v[x[j]++] = i;
+ v_end = x[j];
}
} while (++i < n);
@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
/* set up table entry in r */
r.b = (unsigned char) (k - w);
- if (p >= v + n) {
+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
r.e = 99; /* out of values--invalid code */
} else if (*p < s) {
r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
index 8677a03..ca0a458 100755
--- a/testsuite/unzip.tests
+++ b/testsuite/unzip.tests
@@ -7,7 +7,7 @@
. ./testing.sh
-# testing "test name" "options" "expected result" "file input" "stdin"
+# testing "test name" "commands" "expected result" "file input" "stdin"
# file input will be file called "input"
# test can create a file "actual" instead of writing to stdout
@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
rmdir foo
rm foo.zip
+# File containing some damaged encrypted stream
+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
+"Archive: bad.zip
+ inflating: ]3j½r«I��K-%Ix
+unzip: inflate error
+1
+" \
+"" "\
+begin-base64 644 bad.zip
+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
+====
+"
+
+rm *
+
# Clean up scratch directory.
cd ..
--
2.6.2
|
