mirror of https://git.tukaani.org/xz.git
xz: Fix an integer overflow with 32-bit off_t.
Or any off_t which isn't very big (like signed 64 bit integer that most system have). A small off_t could overflow if the file being decompressed had long enough run of zero bytes, which would result in corrupt output.
This commit is contained in:
parent
4fd3a8dd0b
commit
2402f7873d
|
@ -1293,8 +1293,15 @@ io_write(file_pair *pair, const io_buf *buf, size_t size)
|
||||||
// if the file ends with sparse block, we must also return
|
// if the file ends with sparse block, we must also return
|
||||||
// if size == 0 to avoid doing the lseek().
|
// if size == 0 to avoid doing the lseek().
|
||||||
if (size == IO_BUFFER_SIZE) {
|
if (size == IO_BUFFER_SIZE) {
|
||||||
if (is_sparse(buf)) {
|
// Even if the block was sparse, treat it as non-sparse
|
||||||
pair->dest_pending_sparse += size;
|
// if the pending sparse amount is large compared to
|
||||||
|
// the size of off_t. In practice this only matters
|
||||||
|
// on 32-bit systems where off_t isn't always 64 bits.
|
||||||
|
const off_t pending_max
|
||||||
|
= (off_t)(1) << (sizeof(off_t) * CHAR_BIT - 2);
|
||||||
|
if (is_sparse(buf) && pair->dest_pending_sparse
|
||||||
|
< pending_max) {
|
||||||
|
pair->dest_pending_sparse += (off_t)(size);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
} else if (size == 0) {
|
} else if (size == 0) {
|
||||||
|
|
Loading…
Reference in New Issue