summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip-regression.patch143
-rw-r--r--meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip.patch118
-rw-r--r--meta/recipes-core/busybox/busybox_1.24.1.bb2
3 files changed, 263 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip-regression.patch b/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip-regression.patch
new file mode 100644
index 0000000000..e3c502091f
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip-regression.patch
@@ -0,0 +1,143 @@
1Upstream-Status: Backport
2
3 http://busybox.net/downloads/fixes-1.24.1/
4 http://git.busybox.net/busybox/commit/?id=092fabcf1df5d46cd22be4ffcd3b871f6180eb9c
5 http://git.busybox.net/busybox/commit/?h=1_24_stable&id=092fabcf1df5d46cd22be4ffcd3b871f6180eb9c
6
7Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
8
9From 092fabcf1df5d46cd22be4ffcd3b871f6180eb9c Mon Sep 17 00:00:00 2001
10From: Denys Vlasenko <vda.linux@googlemail.com>
11Date: Fri, 30 Oct 2015 23:41:53 +0100
12Subject: [PATCH] [g]unzip: fix recent breakage.
13
14Also, do emit error message we so painstakingly pass from gzip internals
15
16Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
17(cherry picked from commit 6bd3fff51aa74e2ee2d87887b12182a3b09792ef)
18Signed-off-by: Mike Frysinger <vapier@gentoo.org>
19---
20 archival/libarchive/decompress_gunzip.c | 33 +++++++++++++++++++++------------
21 testsuite/unzip.tests | 1 +
22 2 files changed, 22 insertions(+), 12 deletions(-)
23
24diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
25index c76fd31..357c9bf 100644
26--- a/archival/libarchive/decompress_gunzip.c
27+++ b/archival/libarchive/decompress_gunzip.c
28@@ -309,8 +309,7 @@ static int huft_build(const unsigned *b, const unsigned n,
29 huft_t *q; /* points to current table */
30 huft_t r; /* table entry for structure assignment */
31 huft_t *u[BMAX]; /* table stack */
32- unsigned v[N_MAX]; /* values in order of bit length */
33- unsigned v_end;
34+ unsigned v[N_MAX + 1]; /* values in order of bit length. last v[] is never used */
35 int ws[BMAX + 1]; /* bits decoded stack */
36 int w; /* bits decoded */
37 unsigned x[BMAX + 1]; /* bit offsets, then code stack */
38@@ -365,15 +364,17 @@ static int huft_build(const unsigned *b, const unsigned n,
39 *xp++ = j;
40 }
41
42- /* Make a table of values in order of bit lengths */
43+ /* Make a table of values in order of bit lengths.
44+ * To detect bad input, unused v[i]'s are set to invalid value UINT_MAX.
45+ * In particular, last v[i] is never filled and must not be accessed.
46+ */
47+ memset(v, 0xff, sizeof(v));
48 p = b;
49 i = 0;
50- v_end = 0;
51 do {
52 j = *p++;
53 if (j != 0) {
54 v[x[j]++] = i;
55- v_end = x[j];
56 }
57 } while (++i < n);
58
59@@ -435,7 +436,9 @@ static int huft_build(const unsigned *b, const unsigned n,
60
61 /* set up table entry in r */
62 r.b = (unsigned char) (k - w);
63- if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
64+ if (/*p >= v + n || -- redundant, caught by the second check: */
65+ *p == UINT_MAX /* do we access uninited v[i]? (see memset(v))*/
66+ ) {
67 r.e = 99; /* out of values--invalid code */
68 } else if (*p < s) {
69 r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
70@@ -520,8 +523,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
71 e = t->e;
72 if (e > 16)
73 do {
74- if (e == 99)
75- abort_unzip(PASS_STATE_ONLY);;
76+ if (e == 99) {
77+ abort_unzip(PASS_STATE_ONLY);
78+ }
79 bb >>= t->b;
80 k -= t->b;
81 e -= 16;
82@@ -557,8 +561,9 @@ static NOINLINE int inflate_codes(STATE_PARAM_ONLY)
83 e = t->e;
84 if (e > 16)
85 do {
86- if (e == 99)
87+ if (e == 99) {
88 abort_unzip(PASS_STATE_ONLY);
89+ }
90 bb >>= t->b;
91 k -= t->b;
92 e -= 16;
93@@ -824,8 +829,9 @@ static int inflate_block(STATE_PARAM smallint *e)
94
95 b_dynamic >>= 4;
96 k_dynamic -= 4;
97- if (nl > 286 || nd > 30)
98+ if (nl > 286 || nd > 30) {
99 abort_unzip(PASS_STATE_ONLY); /* bad lengths */
100+ }
101
102 /* read in bit-length-code lengths */
103 for (j = 0; j < nb; j++) {
104@@ -906,12 +912,14 @@ static int inflate_block(STATE_PARAM smallint *e)
105 bl = lbits;
106
107 i = huft_build(ll, nl, 257, cplens, cplext, &inflate_codes_tl, &bl);
108- if (i != 0)
109+ if (i != 0) {
110 abort_unzip(PASS_STATE_ONLY);
111+ }
112 bd = dbits;
113 i = huft_build(ll + nl, nd, 0, cpdist, cpdext, &inflate_codes_td, &bd);
114- if (i != 0)
115+ if (i != 0) {
116 abort_unzip(PASS_STATE_ONLY);
117+ }
118
119 /* set up data for inflate_codes() */
120 inflate_codes_setup(PASS_STATE bl, bd);
121@@ -999,6 +1007,7 @@ inflate_unzip_internal(STATE_PARAM transformer_state_t *xstate)
122 error_msg = "corrupted data";
123 if (setjmp(error_jmp)) {
124 /* Error from deep inside zip machinery */
125+ bb_error_msg(error_msg);
126 n = -1;
127 goto ret;
128 }
129diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
130index ca0a458..d8738a3 100755
131--- a/testsuite/unzip.tests
132+++ b/testsuite/unzip.tests
133@@ -34,6 +34,7 @@ rm foo.zip
134 testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
135 "Archive: bad.zip
136 inflating: ]3j½r«IK-%Ix
137+unzip: corrupted data
138 unzip: inflate error
139 1
140 " \
141--
1422.6.2
143
diff --git a/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip.patch b/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip.patch
new file mode 100644
index 0000000000..718672695c
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/busybox-1.24.1-unzip.patch
@@ -0,0 +1,118 @@
1Upstream-Status: Backport
2
3 http://busybox.net/downloads/fixes-1.24.1/
4 http://git.busybox.net/busybox/commit/?id=1de25a6e87e0e627aa34298105a3d17c60a1f44e
5 http://git.busybox.net/busybox/commit/?h=1_24_stable&id=6767af17f11144c7cd3cfe9ef799d7f89a78fe65
6
7Signed-off-by: Andre McCurdy <armccurdy@gmail.com>
8
9From 1de25a6e87e0e627aa34298105a3d17c60a1f44e Mon Sep 17 00:00:00 2001
10From: Denys Vlasenko <vda.linux@googlemail.com>
11Date: Mon, 26 Oct 2015 19:33:05 +0100
12Subject: [PATCH] unzip: test for bad archive SEGVing
13
14function old new delta
15huft_build 1296 1300 +4
16
17Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
18---
19 archival/libarchive/decompress_gunzip.c | 11 +++++++----
20 testsuite/unzip.tests | 23 ++++++++++++++++++++++-
21 2 files changed, 29 insertions(+), 5 deletions(-)
22
23diff --git a/archival/libarchive/decompress_gunzip.c b/archival/libarchive/decompress_gunzip.c
24index 7b6f459..30bf451 100644
25--- a/archival/libarchive/decompress_gunzip.c
26+++ b/archival/libarchive/decompress_gunzip.c
27@@ -305,11 +305,12 @@ static int huft_build(const unsigned *b, const unsigned n,
28 unsigned i; /* counter, current code */
29 unsigned j; /* counter */
30 int k; /* number of bits in current code */
31- unsigned *p; /* pointer into c[], b[], or v[] */
32+ const unsigned *p; /* pointer into c[], b[], or v[] */
33 huft_t *q; /* points to current table */
34 huft_t r; /* table entry for structure assignment */
35 huft_t *u[BMAX]; /* table stack */
36 unsigned v[N_MAX]; /* values in order of bit length */
37+ unsigned v_end;
38 int ws[BMAX + 1]; /* bits decoded stack */
39 int w; /* bits decoded */
40 unsigned x[BMAX + 1]; /* bit offsets, then code stack */
41@@ -324,7 +325,7 @@ static int huft_build(const unsigned *b, const unsigned n,
42
43 /* Generate counts for each bit length */
44 memset(c, 0, sizeof(c));
45- p = (unsigned *) b; /* cast allows us to reuse p for pointing to b */
46+ p = b;
47 i = n;
48 do {
49 c[*p]++; /* assume all entries <= BMAX */
50@@ -365,12 +366,14 @@ static int huft_build(const unsigned *b, const unsigned n,
51 }
52
53 /* Make a table of values in order of bit lengths */
54- p = (unsigned *) b;
55+ p = b;
56 i = 0;
57+ v_end = 0;
58 do {
59 j = *p++;
60 if (j != 0) {
61 v[x[j]++] = i;
62+ v_end = x[j];
63 }
64 } while (++i < n);
65
66@@ -432,7 +435,7 @@ static int huft_build(const unsigned *b, const unsigned n,
67
68 /* set up table entry in r */
69 r.b = (unsigned char) (k - w);
70- if (p >= v + n) {
71+ if (p >= v + v_end) { // Was "if (p >= v + n)" but v[] can be shorter!
72 r.e = 99; /* out of values--invalid code */
73 } else if (*p < s) {
74 r.e = (unsigned char) (*p < 256 ? 16 : 15); /* 256 is EOB code */
75diff --git a/testsuite/unzip.tests b/testsuite/unzip.tests
76index 8677a03..ca0a458 100755
77--- a/testsuite/unzip.tests
78+++ b/testsuite/unzip.tests
79@@ -7,7 +7,7 @@
80
81 . ./testing.sh
82
83-# testing "test name" "options" "expected result" "file input" "stdin"
84+# testing "test name" "commands" "expected result" "file input" "stdin"
85 # file input will be file called "input"
86 # test can create a file "actual" instead of writing to stdout
87
88@@ -30,6 +30,27 @@ testing "unzip (subdir only)" "unzip -q foo.zip foo/ && test -d foo && test ! -f
89 rmdir foo
90 rm foo.zip
91
92+# File containing some damaged encrypted stream
93+testing "unzip (bad archive)" "uudecode; unzip bad.zip 2>&1; echo \$?" \
94+"Archive: bad.zip
95+ inflating: ]3j½r«IK-%Ix
96+unzip: inflate error
97+1
98+" \
99+"" "\
100+begin-base64 644 bad.zip
101+UEsDBBQAAgkIAAAAIQA5AAAANwAAADwAAAAQAAcAXTNqwr1ywqtJGxJLLSVJ
102+eCkBD0AdKBk8JzQsIj01JC0/ORJQSwMEFAECCAAAAAAhADoAAAAPAAAANgAA
103+AAwAAQASw73Ct1DCokohPXQiNjoUNTUiHRwgLT4WHlBLAQIQABQAAggIAAAA
104+oQA5AAAANwAAADwAAAAQQAcADAAAACwAMgCAAAAAAABdM2rCvXLCq0kbEkst
105+JUl4KQEPQB0oGSY4Cz4QNgEnJSYIPVBLAQIAABQAAggAAAAAIQAqAAAADwAA
106+BDYAAAAMAAEADQAAADIADQAAAEEAAAASw73Ct1DKokohPXQiNzA+FAI1HCcW
107+NzITNFBLBQUKAC4JAA04Cw0EOhZQSwUGAQAABAIAAgCZAAAAeQAAAAIALhM=
108+====
109+"
110+
111+rm *
112+
113 # Clean up scratch directory.
114
115 cd ..
116--
1172.6.2
118
diff --git a/meta/recipes-core/busybox/busybox_1.24.1.bb b/meta/recipes-core/busybox/busybox_1.24.1.bb
index 7d2a7b203c..02e8a4959f 100644
--- a/meta/recipes-core/busybox/busybox_1.24.1.bb
+++ b/meta/recipes-core/busybox/busybox_1.24.1.bb
@@ -32,6 +32,8 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
32 file://busybox-cross-menuconfig.patch \ 32 file://busybox-cross-menuconfig.patch \
33 file://0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch \ 33 file://0001-Use-CC-when-linking-instead-of-LD-and-use-CFLAGS-and.patch \
34 file://0002-Passthrough-r-to-linker.patch \ 34 file://0002-Passthrough-r-to-linker.patch \
35 file://busybox-1.24.1-unzip.patch \
36 file://busybox-1.24.1-unzip-regression.patch \
35 file://mount-via-label.cfg \ 37 file://mount-via-label.cfg \
36 file://sha1sum.cfg \ 38 file://sha1sum.cfg \
37 file://sha256sum.cfg \ 39 file://sha256sum.cfg \