Decompressors: validate match distance in unlzma.c

From: Lasse Collin <lasse.collin@tukaani.org>

Validate the newly decoded distance (rep0) in process_bit1().  This is to
detect corrupt LZMA data quickly.  The old code can run for long time
producing garbage until it hits the end of the input.

Signed-off-by: Lasse Collin <lasse.collin@tukaani.org>
Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Keir Fraser <keir@xen.org>
Committed-by: Jan Beulich <jbeulich@suse.com>

diff --git a/xen/common/unlzma.c b/xen/common/unlzma.c
index 6dcd7ba20b5ee849469e62020b56f531374ae562..87b9e0a9642fe622f998f48a53898e0125375941 100644 (file)
--- a/xen/common/unlzma.c
+++ b/xen/common/unlzma.c
@@ -516,6 +516,9 @@ static inline int INIT process_bit1(struct writer *wr, struct rc *rc,
                        cst->rep0 = pos_slot;
                if (++(cst->rep0) == 0)
                        return 0;
+               if (cst->rep0 > wr->header->dict_size
+                               || cst->rep0 > get_pos(wr))
+                       return -1;
        }
 
        len += LZMA_MATCH_MIN_LEN;