debian/patches/xz-lvv-invalid-free - jrn/xz - Git at Google

 From: Lasse Collin <lasse.collin@tukaani.org>
 Date: Fri, 27 May 2011 22:25:44 +0300
 Subject: xz: Fix error handling in xz -lvv.

 It could do an invalid free() and read past the end
 of the uninitialized filters array.
 ---
  src/xz/list.c |   21 ++++++---------------
  1 file changed, 6 insertions(+), 15 deletions(-)

 diff --git a/src/xz/list.c b/src/xz/list.c
 index 1c93718b..98307eb2 100644
 --- a/src/xz/list.c
 +++ b/src/xz/list.c
 @@ -382,14 +382,9 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter,
  	if (buf.u8[0] == 0)
  		goto data_error;

 -	lzma_block block;
 -	lzma_filter filters[LZMA_FILTERS_MAX + 1];
 -
 -	// Initialize the pointers so that they can be passed to free().
 -	for (size_t i = 0; i < ARRAY_SIZE(filters); ++i)
 -		filters[i].options = NULL;
 -
  	// Initialize the block structure and decode Block Header Size.
 +	lzma_filter filters[LZMA_FILTERS_MAX + 1];
 +	lzma_block block;
  	block.version = 0;
  	block.check = iter->stream.flags->check;
  	block.filters = filters;
 @@ -437,6 +432,10 @@ parse_block_header(file_pair *pair, const lzma_index_iter *iter,
  		break;

  	case LZMA_DATA_ERROR:
 +		// Free the memory allocated by lzma_block_header_decode().
 +		for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
 +			free(filters[i].options);
 +
  		goto data_error;

  	default:
 @@ -466,14 +465,6 @@ data_error:
  	// Show the error message.
  	message_error("%s: %s", pair->src_name,
  			message_strm(LZMA_DATA_ERROR));
 -
 -	// Free the memory allocated by lzma_block_header_decode().
 -	// This is truly needed only if we get here after a succcessful
 -	// call to lzma_block_header_decode() but it doesn't hurt to
 -	// always do it.
 -	for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
 -		free(filters[i].options);
 -
  	return true;
  }

 --
 1.7.10.2
	From: Lasse Collin <lasse.collin@tukaani.org>
	Date: Fri, 27 May 2011 22:25:44 +0300
	Subject: xz: Fix error handling in xz -lvv.

	It could do an invalid free() and read past the end
	of the uninitialized filters array.
	---
	src/xz/list.c \| 21 ++++++---------------
	1 file changed, 6 insertions(+), 15 deletions(-)

	diff --git a/src/xz/list.c b/src/xz/list.c
	index 1c93718b..98307eb2 100644
	--- a/src/xz/list.c
	+++ b/src/xz/list.c
	@@ -382,14 +382,9 @@ parse_block_header(file_pair pair, const lzma_index_iter iter,
	if (buf.u8[0] == 0)
	goto data_error;

	- lzma_block block;
	- lzma_filter filters[LZMA_FILTERS_MAX + 1];
	-
	- // Initialize the pointers so that they can be passed to free().
	- for (size_t i = 0; i < ARRAY_SIZE(filters); ++i)
	- filters[i].options = NULL;
	-
	// Initialize the block structure and decode Block Header Size.
	+ lzma_filter filters[LZMA_FILTERS_MAX + 1];
	+ lzma_block block;
	block.version = 0;
	block.check = iter->stream.flags->check;
	block.filters = filters;
	@@ -437,6 +432,10 @@ parse_block_header(file_pair pair, const lzma_index_iter iter,
	break;

	case LZMA_DATA_ERROR:
	+ // Free the memory allocated by lzma_block_header_decode().
	+ for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
	+ free(filters[i].options);
	+
	goto data_error;

	default:
	@@ -466,14 +465,6 @@ data_error:
	// Show the error message.
	message_error("%s: %s", pair->src_name,
	message_strm(LZMA_DATA_ERROR));
	-
	- // Free the memory allocated by lzma_block_header_decode().
	- // This is truly needed only if we get here after a succcessful
	- // call to lzma_block_header_decode() but it doesn't hurt to
	- // always do it.
	- for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i)
	- free(filters[i].options);
	-
	return true;
	}

	--
	1.7.10.2