libbacktrace patch committed: Skip all LZMA block header padding bytes
Checks
Commit Message
This patch to libbacktrace corrects the LZMA block header parsing to
skip all the padding bytes, verifying that they are zero. This fixes
https://github.com/ianlancetaylor/libbacktrace/issues/118.
Bootstrapped and ran libbacktrace tests on x86_64-pc-linux-gnu. I was
able to verify that the problem occurred when setting the environment
variable XZ_OPT="--threads=2", and that this patch fixes the bug.
Committed to mainline.
Ian
* elf.c (elf_uncompress_lzma_block): Skip all header padding bytes
and verify that they are zero.
23f9fbed3c97ed70d2615d7d3fa7c249cc862553
@@ -5568,6 +5568,7 @@ elf_uncompress_lzma_block (const unsigned char *compressed,
uint64_t header_compressed_size;
uint64_t header_uncompressed_size;
unsigned char lzma2_properties;
+ size_t crc_offset;
uint32_t computed_crc;
uint32_t stream_crc;
size_t uncompressed_offset;
@@ -5671,19 +5672,20 @@ elf_uncompress_lzma_block (const unsigned char *compressed,
/* The properties describe the dictionary size, but we don't care
what that is. */
- /* Block header padding. */
- if (unlikely (off + 4 > compressed_size))
+ /* Skip to just before CRC, verifying zero bytes in between. */
+ crc_offset = block_header_offset + block_header_size - 4;
+ if (unlikely (crc_offset + 4 > compressed_size))
{
elf_uncompress_failed ();
return 0;
}
-
- off = (off + 3) &~ (size_t) 3;
-
- if (unlikely (off + 4 > compressed_size))
+ for (; off < crc_offset; off++)
{
- elf_uncompress_failed ();
- return 0;
+ if (compressed[off] != 0)
+ {
+ elf_uncompress_failed ();
+ return 0;
+ }
}
/* Block header CRC. */