diff options
Diffstat (limited to 'archival')
-rw-r--r-- | archival/libarchive/decompress_unlzma.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c index 80a453806..42efd5aa7 100644 --- a/archival/libarchive/decompress_unlzma.c +++ b/archival/libarchive/decompress_unlzma.c @@ -224,6 +224,7 @@ unpack_lzma_stream(transformer_state_t *xstate) rc_t *rc; int i; uint8_t *buffer; + uint32_t buffer_size; uint8_t previous_byte = 0; size_t buffer_pos = 0, global_pos = 0; int len = 0; @@ -253,7 +254,8 @@ unpack_lzma_stream(transformer_state_t *xstate) if (header.dict_size == 0) header.dict_size++; - buffer = xmalloc(MIN(header.dst_size, header.dict_size)); + buffer_size = MIN(header.dst_size, header.dict_size); + buffer = xmalloc(buffer_size); { int num_probs; @@ -464,7 +466,10 @@ unpack_lzma_stream(transformer_state_t *xstate) if ((int32_t)pos < 0) { pos += header.dict_size; /* bug 10436 has an example file where this triggers: */ - if ((int32_t)pos < 0) + //if ((int32_t)pos < 0) + // goto bad; + /* more stringent test (see unzip_bad_lzma_1.zip): */ + if (pos >= buffer_size) goto bad; } previous_byte = buffer[pos]; |