From 18d7facd3802b55c287581405c4d49c98708c136 Mon Sep 17 00:00:00 2001
From: Jia Tan <jiat0218@gmail.com>
Date: Fri, 2 Sep 2022 20:18:55 +0800
Subject: [PATCH] liblzma: lzma_index_append: Add missing integer overflow
 check.

The documentation in src/liblzma/api/lzma/index.h suggests that
both the unpadded (compressed) size and the uncompressed size
are checked for overflow, but only the unpadded size was checked.
The uncompressed check is done first since that is more likely to
occur than the unpadded or index field size overflows.
---
 src/liblzma/common/index.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
index 86c10544..010e1f80 100644
--- a/src/liblzma/common/index.c
+++ b/src/liblzma/common/index.c
@@ -656,6 +656,10 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
 	const uint32_t index_list_size_add = lzma_vli_size(unpadded_size)
 			+ lzma_vli_size(uncompressed_size);
 
+	// Check that uncompressed size will not overflow.
+	if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX)
+		return LZMA_DATA_ERROR;
+
 	// Check that the file size will stay within limits.
 	if (index_file_size(s->node.compressed_base,
 			compressed_base + unpadded_size, s->record_count + 1,