Tests: Add a test file for lzma_index_append() integer overflow bug.

This test fails before commit 18d7facd38.

test_files.sh now runs xz -l for bad-3-index-uncomp-overflow.xz
because only then the previously-buggy code path gets tested.
Normal decompression doesn't use lzma_index_append() at all.
Instead, lzma_index_hash functions are used and those already
did the overflow check.
This commit is contained in:
Lasse Collin 2022-09-16 17:08:53 +03:00
parent 72e1645a43
commit ea57b9aa2c
3 changed files with 18 additions and 0 deletions

View File

@ -209,6 +209,16 @@
file gets rejected specifically due to Unpadded Size having an invalid
value.
bad-3-index-uncomp-overflow.xz has Index whose Uncompressed Size
fields have huge values whose sum exceeds the maximum allowed size
of 2^63 - 1 bytes. In this file the sum is exactly 2^64.
lzma_index_append() in liblzma <= 5.2.6 lacks the integer overflow
check for the uncompressed size and thus doesn't catch the error
when decoding the Index field in this file. This makes "xz -l"
not detect the error and will display 0 as the uncompressed size.
Note that regular decompression isn't affected by this bug because
it uses lzma_index_hash_append() instead.
bad-2-compressed_data_padding.xz has non-null byte in the padding of
the Compressed Data field of the first Block.

Binary file not shown.

View File

@ -53,6 +53,14 @@ do
fi
done
# Testing for the lzma_index_append() bug in <= 5.2.6 needs "xz -l":
I="$srcdir/files/bad-3-index-uncomp-overflow.xz"
if test -n "$XZ" && "$XZ" -l "$I" > /dev/null 2>&1; then
echo "Bad file succeeded with xz -l: $I"
(exit 1)
exit 1
fi
for I in "$srcdir"/files/good-*.lzma
do
if test -z "$XZ" || "$XZ" -dc "$I" > /dev/null; then