!46 liblzma: Add overflow check for Unpadded size in lzma_index_append

From: @kouwq 
Reviewed-by: @dillon_chen 
Signed-off-by: @dillon_chen

backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch

@@ -0,0 +1,60 @@
+From 68bda971bb8b666a009331455fcedb4e18d837a4 Mon Sep 17 00:00:00 2001
+From: Jia Tan <jiat0218@gmail.com>
+Date: Mon, 28 Aug 2023 21:31:25 +0800
+Subject: [PATCH] liblzma: Add overflow check for Unpadded size in
+ lzma_index_append().
+
+This was not a security bug since there was no path to overflow
+UINT64_MAX in lzma_index_append() or when it calls index_file_size().
+The bug was discovered by a failing assert() in vli_ceil4() when called
+from index_file_size() when unpadded_sum (the sum of the compressed size
+of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX.
+
+Previously, the unpadded_size parameter was checked to be not greater
+than UNPADDED_SIZE_MAX, but no check was done once compressed_base was
+added.
+
+This could not have caused an integer overflow in index_file_size() when
+called by lzma_index_append(). The calculation for file_size breaks down
+into the sum of:
+
+- Compressed base from all previous Streams
+- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and
+  footer)
+- stream_padding (can be set by lzma_index_stream_padding())
+- Compressed base from the current Stream
+- Unpadded size (parameter to lzma_index_append())
+
+The sum of everything except for Unpadded size must be less than
+LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions
+that can set these values including lzma_index_stream_padding(),
+lzma_index_append(), and lzma_index_cat(). The maximum value for
+Unpadded size is enforced by lzma_index_append() to be less than or
+equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since
+LZMA_VLI_MAX is half of UINT64_MAX.
+
+Thanks to Joona Kannisto for reporting this.
+---
+ src/liblzma/common/index.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index 97cc9f95..8a35f439 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -661,6 +661,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
+ 	if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX)
+ 		return LZMA_DATA_ERROR;
+ 
++	// Check that the new unpadded sum will not overflow. This is
++	// checked again in index_file_size(), but the unpadded sum is
++	// passed to vli_ceil4() which expects a valid lzma_vli value.
++	if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX)
++		return LZMA_DATA_ERROR;
++
+ 	// Check that the file size will stay within limits.
+ 	if (index_file_size(s->node.compressed_base,
+ 			compressed_base + unpadded_size, s->record_count + 1,
+-- 
+2.23.0
+

xz.spec

@@ -1,12 +1,13 @@
 Name:           xz
 Version:        5.4.4
-Release:        1
+Release:        2
 Summary:        A free general-purpose data compreession software with LZMA2 algorithm
 License:        GPL-3.0-only
 URL:            http://tukaani.org/xz
 Source0:        http://tukaani.org/%{name}/%{name}-%{version}.tar.xz
 Source1:        colorxzgrep.sh
 Source2:        colorxzgrep.csh
+Patch0:         backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
 
 BuildRequires:  perl-interpreter gcc
 
@@ -114,6 +115,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %{_mandir}/pt_BR/man1/*
 
 %changelog
+* Tue Apr 30 2024 kouwenqi <kouwenqi@kylinos.cn> - 5.4.4-2
+- liblzma: Add overflow check for Unpadded size in lzma_index_append
+
 * Fri Aug 4 2023 dillon chen <dillon.chen@gmail.com> - 5.4.4-1
 - update version to 5.4.4