!46 liblzma: Add overflow check for Unpadded size in lzma_index_append

From: @kouwq Reviewed-by: @dillon_chen Signed-off-by: @dillon_chen
2024-05-08 05:53:05 +00:00 · 2024-05-08 05:53:05 +00:00 · c68fec9244
commit c68fec9244
parent deb5a86780 5275a6fd07
2 changed files with 65 additions and 1 deletions
--- a/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
+++ b/backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
@ -0,0 +1,60 @@
 From 68bda971bb8b666a009331455fcedb4e18d837a4 Mon Sep 17 00:00:00 2001
 From: Jia Tan <jiat0218@gmail.com>
 Date: Mon, 28 Aug 2023 21:31:25 +0800
 Subject: [PATCH] liblzma: Add overflow check for Unpadded size in
 lzma_index_append().
 This was not a security bug since there was no path to overflow
 UINT64_MAX in lzma_index_append() or when it calls index_file_size().
 The bug was discovered by a failing assert() in vli_ceil4() when called
 from index_file_size() when unpadded_sum (the sum of the compressed size
 of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX.
 Previously, the unpadded_size parameter was checked to be not greater
 than UNPADDED_SIZE_MAX, but no check was done once compressed_base was
 added.
 This could not have caused an integer overflow in index_file_size() when
 called by lzma_index_append(). The calculation for file_size breaks down
 into the sum of:
 - Compressed base from all previous Streams
 - 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and
  footer)
 - stream_padding (can be set by lzma_index_stream_padding())
 - Compressed base from the current Stream
 - Unpadded size (parameter to lzma_index_append())
 The sum of everything except for Unpadded size must be less than
 LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions
 that can set these values including lzma_index_stream_padding(),
 lzma_index_append(), and lzma_index_cat(). The maximum value for
 Unpadded size is enforced by lzma_index_append() to be less than or
 equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since
 LZMA_VLI_MAX is half of UINT64_MAX.
 Thanks to Joona Kannisto for reporting this.
 ---
 src/liblzma/common/index.c | 6 ++++++
 1 file changed, 6 insertions(+)
 diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
 index 97cc9f95..8a35f439 100644
 --- a/src/liblzma/common/index.c
 +++ b/src/liblzma/common/index.c
@@ -661,6 +661,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
 	if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX)
 		return LZMA_DATA_ERROR;
 +	// Check that the new unpadded sum will not overflow. This is
 +	// checked again in index_file_size(), but the unpadded sum is
 +	// passed to vli_ceil4() which expects a valid lzma_vli value.
 +	if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX)
 +		return LZMA_DATA_ERROR;
 +
 	// Check that the file size will stay within limits.
 	if (index_file_size(s->node.compressed_base,
 			compressed_base + unpadded_size, s->record_count + 1,
 -- 
 2.23.0
--- a/xz.spec
+++ b/xz.spec
@ -1,12 +1,13 @@
 Name:           xz
 Version:        5.4.4
-Release:        1
+Release:        2
 Summary:        A free general-purpose data compreession software with LZMA2 algorithm
 License:        GPL-3.0-only
 URL:            http://tukaani.org/xz
 Source0:        http://tukaani.org/%{name}/%{name}-%{version}.tar.xz
 Source1:        colorxzgrep.sh
 Source2:        colorxzgrep.csh
 Patch0:         backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
 BuildRequires:  perl-interpreter gcc
@ -114,6 +115,9 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %{_mandir}/pt_BR/man1/*
 %changelog
 * Tue Apr 30 2024 kouwenqi <kouwenqi@kylinos.cn> - 5.4.4-2
 - liblzma: Add overflow check for Unpadded size in lzma_index_append
 * Fri Aug 4 2023 dillon chen <dillon.chen@gmail.com> - 5.4.4-1
 - update version to 5.4.4