Fail with negative lha->compsize in lha_read_file_header_1() Fixes a heap buffer...

author Martin Matuska <martin@matuska.org>

Thu, 19 Jan 2017 21:00:18 +0000 (22:00 +0100)

committer DongHun Kwak <dh0128.kwak@samsung.com>

Tue, 20 Jun 2017 04:24:01 +0000 (13:24 +0900)
author Martin Matuska <martin@matuska.org>
Thu, 19 Jan 2017 21:00:18 +0000 (22:00 +0100)
committer DongHun Kwak <dh0128.kwak@samsung.com>
Tue, 20 Jun 2017 04:24:01 +0000 (13:24 +0900)
diff --git a/libarchive/archive_read_support_format_lha.c b/libarchive/archive_read_support_format_lha.c

index c359d83..1a5617f 100644 (file)
--- a/libarchive/archive_read_support_format_lha.c
+++ b/libarchive/archive_read_support_format_lha.c
@@ -924,6 +924,9 @@ lha_read_file_header_1(struct archive_read *a, struct lha *lha)
         /* Get a real compressed file size. */
         lha->compsize -= extdsize - 2;
  
+       if (lha->compsize < 0)
+               goto invalid;   /* Invalid compressed file size */
+
         if (sum_calculated != headersum) {
                 archive_set_error(&a->archive, ARCHIVE_ERRNO_MISC,
                     "LHa header sum error");
author	Martin Matuska <martin@matuska.org>
	Thu, 19 Jan 2017 21:00:18 +0000 (22:00 +0100)
committer	DongHun Kwak <dh0128.kwak@samsung.com>
	Tue, 20 Jun 2017 04:24:01 +0000 (13:24 +0900)