From 38ccd6af8abbafff98d458a1c62909acfc09a514 Mon Sep 17 00:00:00 2001 From: Denys Vlasenko Date: Sun, 8 Apr 2018 20:02:01 +0200 Subject: bzip2: fix two crashes on corrupted archives As it turns out, longjmp'ing into freed stack is not healthy... function old new delta unpack_usage_messages - 97 +97 unpack_bz2_stream 369 409 +40 get_next_block 1667 1677 +10 get_bits 156 155 -1 start_bunzip 212 183 -29 bb_show_usage 181 120 -61 ------------------------------------------------------------------------------ (add/remove: 1/0 grow/shrink: 2/3 up/down: 147/-91) Total: 56 bytes Signed-off-by: Denys Vlasenko --- miscutils/bbconfig.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) (limited to 'miscutils/bbconfig.c') diff --git a/miscutils/bbconfig.c b/miscutils/bbconfig.c index 9ab57876e..501349548 100644 --- a/miscutils/bbconfig.c +++ b/miscutils/bbconfig.c @@ -44,13 +44,22 @@ int bbconfig_main(int argc UNUSED_PARAM, char **argv UNUSED_PARAM) { #if ENABLE_FEATURE_COMPRESS_BBCONFIG bunzip_data *bd; - int i = start_bunzip(&bd, + int i; + jmp_buf jmpbuf; + + /* Setup for I/O error handling via longjmp */ + i = setjmp(jmpbuf); + if (i == 0) { + i = start_bunzip(&jmpbuf, + &bd, /* src_fd: */ -1, /* inbuf: */ bbconfig_config_bz2, - /* len: */ sizeof(bbconfig_config_bz2)); - /* read_bunzip can longjmp to start_bunzip, and ultimately - * end up here with i != 0 on read data errors! Not trivial */ - if (!i) { + /* len: */ sizeof(bbconfig_config_bz2) + ); + } + /* read_bunzip can longjmp and end up here with i != 0 + * on read data errors! Not trivial */ + if (i == 0) { /* Cannot use xmalloc: will leak bd in NOFORK case! */ char *outbuf = malloc_or_warn(sizeof(bbconfig_config)); if (outbuf) { -- cgit v1.2.3