Google Git
Sign in
googlers / jrn / xz / 434c6dd14f1cba0bd0c2fc8439e012b97bfb0dfb^! / .
commit434c6dd14f1cba0bd0c2fc8439e012b97bfb0dfb[log] [tgz]
authorLasse Collin <lasse.collin@tukaani.org>Mon Apr 11 13:21:28 2011 +0300
committerJonathan Nieder <jrnieder@gmail.com>Sat Jun 23 01:27:23 2012 -0500
tree3bcc95f424e4aee3225f285de9fd965e9f56727f
parent099ef8f2095d3d17329129adf9732d7ea2bd840e [diff]
liblzma: Validate encoder arguments better.

The biggest problem was that the integrity check type
wasn't validated, and e.g. lzma_easy_buffer_encode()
would create a corrupt .xz Stream if given an unsupported
Check ID. Luckily applications don't usually try to use
an unsupport Check ID, so this bug is unlikely to cause
many real-world problems.

diff --git a/src/liblzma/common/block_buffer_encoder.c b/src/liblzma/common/block_buffer_encoder.c
index a8f71c2..519c6a6 100644
--- a/src/liblzma/common/block_buffer_encoder.c
+++ b/src/liblzma/common/block_buffer_encoder.c

@@ -226,16 +226,23 @@
 		const uint8_t *in, size_t in_size,
 		uint8_t *out, size_t *out_pos, size_t out_size)
 {
-	// Sanity checks
-	if (block == NULL || block->filters == NULL
-			|| (in == NULL && in_size != 0) || out == NULL
+	// Validate the arguments.
+	if (block == NULL || (in == NULL && in_size != 0) || out == NULL
 			|| out_pos == NULL || *out_pos > out_size)
 		return LZMA_PROG_ERROR;
 
-	// Check the version field.
+	// The contents of the structure may depend on the version so
+	// check the version before validating the contents of *block.
 	if (block->version != 0)
 		return LZMA_OPTIONS_ERROR;
 
+	if ((unsigned int)(block->check) > LZMA_CHECK_ID_MAX
+			|| block->filters == NULL)
+		return LZMA_PROG_ERROR;
+
+	if (!lzma_check_is_supported(block->check))
+		return LZMA_UNSUPPORTED_CHECK;
+
 	// Size of a Block has to be a multiple of four, so limit the size
 	// here already. This way we don't need to check it again when adding
 	// Block Padding.
@@ -243,8 +250,7 @@
 
 	// Get the size of the Check field.
 	const size_t check_size = lzma_check_size(block->check);
-	if (check_size == UINT32_MAX)
-		return LZMA_PROG_ERROR;
+	assert(check_size != UINT32_MAX);
 
 	// Reserve space for the Check field.
 	if (out_size - *out_pos <= check_size)

diff --git a/src/liblzma/common/block_encoder.c b/src/liblzma/common/block_encoder.c
index ca51523..b34c501 100644
--- a/src/liblzma/common/block_encoder.c
+++ b/src/liblzma/common/block_encoder.c

@@ -161,6 +161,11 @@
 {
 	lzma_next_coder_init(&lzma_block_encoder_init, next, allocator);
 
+	if (block == NULL)
+		return LZMA_PROG_ERROR;
+
+	// The contents of the structure may depend on the version so
+	// check the version first.
 	if (block->version != 0)
 		return LZMA_OPTIONS_ERROR;
 

diff --git a/src/liblzma/common/stream_buffer_encoder.c b/src/liblzma/common/stream_buffer_encoder.c
index 0542c30..2450ee2 100644
--- a/src/liblzma/common/stream_buffer_encoder.c
+++ b/src/liblzma/common/stream_buffer_encoder.c

@@ -51,6 +51,9 @@
 			|| out_pos_ptr == NULL || *out_pos_ptr > out_size)
 		return LZMA_PROG_ERROR;
 
+	if (!lzma_check_is_supported(check))
+		return LZMA_UNSUPPORTED_CHECK;
+
 	// Note for the paranoids: Index encoder prevents the Stream from
 	// getting too big and still being accepted with LZMA_OK, and Block
 	// encoder catches if the input is too big. So we don't need to