From 251fc70e9722f931eec23a34030d05ba5f747b0e Mon Sep 17 00:00:00 2001
From: Denys Vlasenko <vda.linux@googlemail.com>
Date: Thu, 18 Aug 2011 12:29:41 +0000
Subject: uncompress: fix buffer underrun by corrupted input

Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
---
(limited to 'archival/libarchive/decompress_uncompress.c')

diff --git a/archival/libarchive/decompress_uncompress.c b/archival/libarchive/decompress_uncompress.c
index 44d8942..329894b 100644
--- a/archival/libarchive/decompress_uncompress.c
+++ b/archival/libarchive/decompress_uncompress.c
@@ -163,7 +163,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 		if (insize < (int) (IBUFSIZ + 64) - IBUFSIZ) {
 			rsize = safe_read(fd_in, inbuf + insize, IBUFSIZ);
-//error check??
+			if (rsize < 0)
+				bb_error_msg(bb_msg_read_error);
 			insize += rsize;
 		}
 
@@ -195,6 +196,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 
 			if (oldcode == -1) {
+				if (code >= 256)
+					bb_error_msg_and_die("corrupted data"); /* %ld", code); */
 				oldcode = code;
 				finchar = (int) oldcode;
 				outbuf[outpos++] = (unsigned char) finchar;
@@ -239,6 +242,8 @@ unpack_Z_stream(int fd_in, int fd_out)
 
 			/* Generate output characters in reverse order */
 			while ((long) code >= (long) 256) {
+				if (stackp <= &htabof(0))
+					bb_error_msg_and_die("corrupted data");
 				*--stackp = tab_suffixof(code);
 				code = tab_prefixof(code);
 			}
@@ -263,8 +268,7 @@ unpack_Z_stream(int fd_in, int fd_out)
 						}
 
 						if (outpos >= OBUFSIZ) {
-							full_write(fd_out, outbuf, outpos);
-//error check??
+							xwrite(fd_out, outbuf, outpos);
 							IF_DESKTOP(total_written += outpos;)
 							outpos = 0;
 						}
@@ -292,8 +296,7 @@ unpack_Z_stream(int fd_in, int fd_out)
 	} while (rsize > 0);
 
 	if (outpos > 0) {
-		full_write(fd_out, outbuf, outpos);
-//error check??
+		xwrite(fd_out, outbuf, outpos);
 		IF_DESKTOP(total_written += outpos;)
 	}
 
--
cgit v0.9.0.1-2-gef13