aboutsummaryrefslogtreecommitdiff
path: root/archival
diff options
context:
space:
mode:
Diffstat (limited to 'archival')
-rw-r--r--archival/libarchive/decompress_unlzma.c9
1 files changed, 7 insertions, 2 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 80a453806..42efd5aa7 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate)
rc_t *rc;
int i;
uint8_t *buffer;
+ uint32_t buffer_size;
uint8_t previous_byte = 0;
size_t buffer_pos = 0, global_pos = 0;
int len = 0;
@@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate)
if (header.dict_size == 0)
header.dict_size++;
- buffer = xmalloc(MIN(header.dst_size, header.dict_size));
+ buffer_size = MIN(header.dst_size, header.dict_size);
+ buffer = xmalloc(buffer_size);
{
int num_probs;
@@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate)
if ((int32_t)pos < 0) {
pos += header.dict_size;
/* bug 10436 has an example file where this triggers: */
- if ((int32_t)pos < 0)
+ //if ((int32_t)pos < 0)
+ // goto bad;
+ /* more stringent test (see unzip_bad_lzma_1.zip): */
+ if (pos >= buffer_size)
goto bad;
}
previous_byte = buffer[pos];