From a36986bb80289c1cd8d15a557e49207c9a42946b Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Fri, 25 May 2018 17:03:46 +0200
Subject: unlzma: close another SEGV possibility

function                                             old     new   delta
unpack_lzma_stream                                  2669    2686     +17

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
 archival/libarchive/decompress_unlzma.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'archival')

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 446319e7b..6886239d0 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -350,8 +350,12 @@ unpack_lzma_stream(transformer_state_t *xstate)
 						state = state < LZMA_NUM_LIT_STATES ? 9 : 11;
 
 						pos = buffer_pos - rep0;
-						if ((int32_t)pos < 0)
+						if ((int32_t)pos < 0) {
 							pos += header.dict_size;
+							/* see unzip_bad_lzma_2.zip: */
+							if (pos >= buffer_size)
+								goto bad;
+						}
 						previous_byte = buffer[pos];
 						goto one_byte1;
 #else
-- 
cgit v1.2.3