busybox/backport-CVE-2021-42374.patch

From 479e2e47de5f2a9a3ecedda264976bde6945ce60 Mon Sep 17 00:00:00 2001
From: jikui <jikui2@huawei.com>
Date: Mon, 22 Nov 2021 10:24:24 +0800
Subject: [PATCH] busybox: fix CVE-2021-42374

backport from upstream:
https://git.busybox.net/busybox/patch/?h=1_34_stable&id=04f052c56ded5ab6a904e3a264a73dc0412b2e78

Signed-off-by: jikui <jikui2@huawei.com>
---
 archival/libarchive/decompress_unlzma.c |  5 ++++-
 testsuite/unlzma.tests                  | 10 ++++++----
 2 files changed, 10 insertions(+), 5 deletions(-)

diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c
index 0744f23..fb5aac8 100644
--- a/archival/libarchive/decompress_unlzma.c
+++ b/archival/libarchive/decompress_unlzma.c
@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)
 				uint32_t pos;
 
 				pos = buffer_pos - rep0;
-				if ((int32_t)pos < 0)
+				if ((int32_t)pos < 0) {
 					pos += header.dict_size;
+					if ((int32_t)pos < 0)
+						goto bad;
+				}
 				match_byte = buffer[pos];
 				do {
 					int bit;
diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests
index 0e98afe..8c120b1 100755
--- a/testsuite/unlzma.tests
+++ b/testsuite/unlzma.tests
@@ -8,14 +8,16 @@
 
 # Damaged encrypted streams
 testing "unlzma (bad archive 1)" \
-	"unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \
-"1
+	"unlzma <unlzma_issue_1.lzma 2>&1 >/dev/null; echo \$?" \
+"unlzma: corrupted data
+1
 " "" ""
 
 # Damaged encrypted streams
 testing "unlzma (bad archive 2)" \
-	"unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \
-"1
+	"unlzma <unlzma_issue_2.lzma 2>&1 >/dev/null; echo \$?" \
+"unlzma: corrupted data
+1
 " "" ""
 
 exit $FAILCOUNT
-- 
2.25.1
fix CVE-2021-42374 and CVE-2021-42377 Signed-off-by: jikui <jikui2@huawei.com> 2021-11-22 10:33:41 +08:00			`From 479e2e47de5f2a9a3ecedda264976bde6945ce60 Mon Sep 17 00:00:00 2001`
			`From: jikui <jikui2@huawei.com>`
			`Date: Mon, 22 Nov 2021 10:24:24 +0800`
			`Subject: [PATCH] busybox: fix CVE-2021-42374`

			`backport from upstream:`
			`https://git.busybox.net/busybox/patch/?h=1_34_stable&id=04f052c56ded5ab6a904e3a264a73dc0412b2e78`

			`Signed-off-by: jikui <jikui2@huawei.com>`
			`---`
			`archival/libarchive/decompress_unlzma.c \| 5 ++++-`
			`testsuite/unlzma.tests \| 10 ++++++----`
			`2 files changed, 10 insertions(+), 5 deletions(-)`

			`diff --git a/archival/libarchive/decompress_unlzma.c b/archival/libarchive/decompress_unlzma.c`
			`index 0744f23..fb5aac8 100644`
			`--- a/archival/libarchive/decompress_unlzma.c`
			`+++ b/archival/libarchive/decompress_unlzma.c`
			`@@ -290,8 +290,11 @@ unpack_lzma_stream(transformer_state_t *xstate)`
			`uint32_t pos;`

			`pos = buffer_pos - rep0;`
			`- if ((int32_t)pos < 0)`
			`+ if ((int32_t)pos < 0) {`
			`pos += header.dict_size;`
			`+ if ((int32_t)pos < 0)`
			`+ goto bad;`
			`+ }`
			`match_byte = buffer[pos];`
			`do {`
			`int bit;`
			`diff --git a/testsuite/unlzma.tests b/testsuite/unlzma.tests`
			`index 0e98afe..8c120b1 100755`
			`--- a/testsuite/unlzma.tests`
			`+++ b/testsuite/unlzma.tests`
			`@@ -8,14 +8,16 @@`

			`# Damaged encrypted streams`
			`testing "unlzma (bad archive 1)" \`
			`- "unlzma <unlzma_issue_1.lzma >/dev/null; echo \$?" \`
			`-"1`
			`+ "unlzma <unlzma_issue_1.lzma 2>&1 >/dev/null; echo \$?" \`
			`+"unlzma: corrupted data`
			`+1`
			`" "" ""`

			`# Damaged encrypted streams`
			`testing "unlzma (bad archive 2)" \`
			`- "unlzma <unlzma_issue_2.lzma >/dev/null; echo \$?" \`
			`-"1`
			`+ "unlzma <unlzma_issue_2.lzma 2>&1 >/dev/null; echo \$?" \`
			`+"unlzma: corrupted data`
			`+1`
			`" "" ""`

			`exit $FAILCOUNT`
			`--`
			`2.25.1`