|
@@ -0,0 +1,111 @@
|
|
|
|
|
+From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
|
|
|
|
|
+From: Denys Vlasenko <vda.linux@googlemail.com>
|
|
|
|
|
+Date: Mon, 26 Oct 2015 19:33:05 +0100
|
|
|
|
|
+Subject: [PATCH] unzip: test for bad archive SEGVing
|
|
|
|
|
+
|
|
|
|
|
+function old new delta
|
|
|
|
|
+huft_build 1296 1300 +4
|
|
|
|
|
+
|
|
|
|
|
+Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
|
|
|
|
|
+Signed-off-by: Gustavo Zacarias <gustavo@zacarias.com.ar>
|
|
|
|
|
+---
|
|
|
|
|
+ archival/libarchive/decompress_gunzip.c | 11 +++++++----
|
|
|
|
|
+ testsuite/unzip.tests | 23 ++++++++++++++++++++++-
|
|
|
|
|
+ 2 files changed, 29 insertions(+), 5 deletions(-)
|
|
|
|
|
+
|
|
|
|
|
+diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
|
|
|
|
|
+index 7b6f459..30bf451 100644
|
|
|
|
|
+--- a/archival/libarchive/decompress_gunzip.c
|
|
|
|
|
++++ b/archival/libarchive/decompress_gunzip.c
|
|
|
|
|
+@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
|
|
|
|
|
+ unsigned i; /* counter, current code */
|
|
|
|
|
+ unsigned j; /* counter */
|
|
|
|
|
+ int k; /* number of bits in current code */
|
|
|
|
|
+- unsigned *p; /* pointer into c[], b[], or v[] */
|
|
|
|
|
++ const unsigned *p; /* pointer into c[], b[], or v[] */
|
|
|
|
|
+ huft_t *q; /* points to current table */
|
|
|
|
|
+ huft_t r; /* table entry for structure assignment */
|
|
|
|
|
+ huft_t *u[BMAX]; /* table stack */
|
|
|
|
|
+ unsigned v[N_MAX]; /* values in order of bit length */
|
|
|
|
|
++ unsigned v_end;
|
|
|
|
|
+ int ws[BMAX + 1]; /* bits decoded stack */
|
|
|
|
|
+ int w; /* bits decoded */
|
|
|
|
|
+ unsigned x[BMAX + 1]; /* bit offsets, then code stack */
|
|
|
|
|
+@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
|
|
|
|
|
+
|
|
|
|
|
+ /* Generate counts for each bit length */
|
|
|
|
|
+ memset(c, 0, sizeof(c));
|
|
|
|
|
+- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
|
|
|
|
|
++ p = b;
|
|
|
|
|
+ i = n;
|
|
|
|
|
+ do {
|
|
|
|
|
+ c[*p]++; /* assume all entries <= BMAX */
|
|
|
|
|
+@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
|
|
|
|
|
+ }
|
|
|
|
|
+
|
|
|
|
|
+ /* Make a table of values in order of bit lengths */
|
|
|
|
|
+- p = (unsigned *) b;
|
|
|
|
|
++ p = b;
|
|
|
|
|
+ i = 0;
|
|
|
|
|
++ v_end = 0;
|
|
|
|
|
+ do {
|
|
|
|
|
+ j = *p++;
|
|
|
|
|
+ if (j != 0) {
|
|
|
|
|
+ v[x[j]++] = i;
|
|
|
|
|
++ v_end = x[j];
|
|
|
|
|
+ }
|
|
|
|
|
+ } while (++i < n);
|
|
|
|
|
+
|
|
|
|
|
+@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
|
|
|
|
|
+
|
|
|
|
|
+ /* set up table entry in r */
|
|
|
|
|
+ r.b = (unsigned char) (k - w);
|
|
|
|
|
+- if (p >= v + n) {
|
|
|
|
|
++ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
|
|
|
|
|
+ r.e = 99; /* out of values--invalid code */
|
|
|
|
|
+ } else if (*p < s) {
|
|
|
|
|
+ r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
|
|
|
|
|
+diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
|
|
|
|
|
+index 8677a03..ca0a458 100755
|
|
|
|
|
+--- a/testsuite/unzip.tests
|
|
|
|
|
++++ b/testsuite/unzip.tests
|
|
|
|
|
+@@ -7,7 +7,7 @@
|
|
|
|
|
+
|
|
|
|
|
+ . ./testing.sh
|
|
|
|
|
+
|
|
|
|
|
+-# testing "test name" "options" "expected result" "file input" "stdin"
|
|
|
|
|
++# testing "test name" "commands" "expected result" "file input" "stdin"
|
|
|
|
|
+ # file input will be file called "input"
|
|
|
|
|
+ # test can create a file "actual" instead of writing to stdout
|
|
|
|
|
+
|
|
|
|
|
+@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
|
|
|
|
|
+ rmdir foo
|
|
|
|
|
+ rm foo.zip
|
|
|
|
|
+
|
|
|
|
|
++# File containing some damaged encrypted stream
|
|
|
|
|
++testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
|
|
|
|
|
++"Archive: bad.zip
|
|
|
|
|
++ inflating: ]3j½r«I��K-%Ix
|
|
|
|
|
++unzip: inflate error
|
|
|
|
|
++1
|
|
|
|
|
++" \
|
|
|
|
|
++"" "\
|
|
|
|
|
++begin-base64 644 bad.zip
|
|
|
|
|
++UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
|
|
|
|
|
++eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
|
|
|
|
|
++AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
|
|
|
|
|
++oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
|
|
|
|
|
++JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
|
|
|
|
|
++BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
|
|
|
|
|
++NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
|
|
|
|
|
++====
|
|
|
|
|
++"
|
|
|
|
|
++
|
|
|
|
|
++rm *
|
|
|
|
|
++
|
|
|
|
|
+ # Clean up scratch directory.
|
|
|
|
|
+
|
|
|
|
|
+ cd ..
|
|
|
|
|
+--
|
|
|
|
|
+2.6.2
|
|
|
|
|
+
|
Gustavo Zacarias