Commit b73eec54 authored by Andreas Henriksson's avatar Andreas Henriksson

Add debian/patches/Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch

- Cherry-pick upstream commit 98dcbbf0
  "Fail with negative lha->compsize in lha_read_file_header_1()"
  Secunia SA74169, CVE-2017-5601

Closes: #853278
Gbp-Dch: Full
parent b3e4694e
From: Martin Matuska <martin@matuska.org>
Date: Thu, 19 Jan 2017 22:00:18 +0100
Subject: Fail with negative lha->compsize in lha_read_file_header_1() Fixes a
heap buffer overflow reported in Secunia SA74169
---
libarchive/archive_read_support_format_lha.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c
index c359d83e..1a5617fa 100644
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha)
/* Get a real compressed file size. */
lha->compsize -= extdsize - 2;
+ if (lha->compsize < 0)
+ goto invalid; /* Invalid compressed file size */
+
if (sum_calculated != headersum) {
archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
"LHa header sum error");
......@@ -11,3 +11,4 @@ Correct-the-usage-of-PATH_MAX-as-reported-in-Issue-744.patch
Issue-761-Heap-overflow-reading-corrupted-7Zip-files.patch
Issue-747-and-others-Avoid-OOB-read-when-parsing-multiple.patch
Issue-767-Buffer-overflow-printing-a-filename.patch
Fail-with-negative-lha-compsize-in-lha_read_file_header_1.patch
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment