This patch to libbacktrace corrects the LZMA block header parsing to
skip all the padding bytes, verifying that they are zero. This fixes
https://github.com/ianlancetaylor/libbacktrace/issues/118.
Bootstrapped and ran libbacktrace tests on x86_64-pc-linux-gnu. I was
able to verify that the problem occurred when setting the environment
variable XZ_OPT="--threads=2", and that this patch fixes the bug.
Committed to mainline.
Ian
* elf.c (elf_uncompress_lzma_block): Skip all header padding bytes
and verify that they are zero.
23f9fbed3c97ed70d2615d7d3fa7c249cc862553
diff --git a/libbacktrace/elf.c b/libbacktrace/elf.c
index f4527e2477d..7841c86cd9c 100644
--- a/libbacktrace/elf.c
+++ b/libbacktrace/elf.c
@@ -5568,6 +5568,7 @@ elf_uncompress_lzma_block (const unsigned char
*compressed,
uint64_t header_compressed_size;
uint64_t header_uncompressed_size;
unsigned char lzma2_properties;
+ size_t crc_offset;
uint32_t computed_crc;
uint32_t stream_crc;
size_t uncompressed_offset;
@@ -5671,19 +5672,20 @@ elf_uncompress_lzma_block (const unsigned char
*compressed,
/* The properties describe the dictionary size, but we don't care
what that is. */
- /* Block header padding. */
- if (unlikely (off + 4 > compressed_size))
+ /* Skip to just before CRC, verifying zero bytes in between. */
+ crc_offset = block_header_offset + block_header_size - 4;
+ if (unlikely (crc_offset + 4 > compressed_size))
{
elf_uncompress_failed ();
return 0;
}
-
- off = (off + 3) &~ (size_t) 3;
-
- if (unlikely (off + 4 > compressed_size))
+ for (; off < crc_offset; off++)
{
- elf_uncompress_failed ();
- return 0;
+ if (compressed[off] != 0)
+ {
+ elf_uncompress_failed ();
+ return 0;
+ }
}
/* Block header CRC. */
