revi-archive/xz-archive
1
0
Fork 0
mirror of https://git.tukaani.org/xz.git synced 2024-04-04 12:36:23 +02:00
Code Activity

xz: Fix an integer overflow with 32-bit off_t.

Browse source 
Or any off_t which isn't very big (like signed 64 bit integer
that most system have). A small off_t could overflow if the
file being decompressed had long enough run of zero bytes,
which would result in corrupt output.
This commit is contained in:
Lasse Collin 2019-06-24 20:45:49 +03:00
parent 65a42741e2
commit c8cace3d6e
1 changed files with 9 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
src/xz/file_io.c
View file

@ -1273,8 +1273,15 @@ io_write(file_pair *pair, const io_buf *buf, size_t size)
// if the file ends with sparse block, we must also return
// if size == 0 to avoid doing the lseek().
if (size == IO_BUFFER_SIZE) {
if (is_sparse(buf)) {
pair->dest_pending_sparse += size;
// Even if the block was sparse, treat it as non-sparse
// if the pending sparse amount is large compared to
// the size of off_t. In practice this only matters
// on 32-bit systems where off_t isn't always 64 bits.
const off_t pending_max
= (off_t)(1) << (sizeof(off_t) * CHAR_BIT - 2);
if (is_sparse(buf) && pair->dest_pending_sparse
< pending_max) {
pair->dest_pending_sparse += (off_t)(size);
return false;
}
} else if (size == 0) {