Added sanity checking to broadcom LZMA decompressor

nightcap79 · Aug 17, 2014 · de209a6 · de209a6
1 parent 70a7a26
commit de209a6
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 9 deletions.
diff --git a/LZMA/brcm-lzma/LZMADecoder.c b/LZMA/brcm-lzma/LZMADecoder.c
@@ -379,6 +379,24 @@ HRESULT LzmaDecoderReadCoderProperties(LzmaDecoder *lzmaDecoder)
   aLiteralPosStateBits  = aRemainder % 5;
   aNumPosStateBits      = aRemainder / 5;
 
+  // CJH: Debug.
+  //printf("aLiteralContextBits (lc): %d\n", aLiteralContextBits);
+  //printf("aLiteralPosStateBits (lp): %d\n", aLiteralPosStateBits);
+  //printf("aNumPosStateBits (pb): %d\n", aNumPosStateBits);
+
+  // CJH: Validate LZMA properties before continuing
+  if(!aLiteralContextBits && !aLiteralPosStateBits && !aNumPosStateBits)
+  {
+      return -1;
+  }
+  if(aLiteralContextBits > 4 ||
+     aLiteralPosStateBits > 4 ||
+     aNumPosStateBits > 4 ||
+     (aLiteralContextBits + aLiteralPosStateBits) > 4)
+  {
+      return -1;
+  }
+
   RETURN_IF_NOT_S_OK(InStreamRead(&aDictionarySize, 
                                   sizeof(aDictionarySize), 
                                   &aProcessesedSize));

diff --git a/LZMA/lzmalib/C/7zip/Compress/LZMA_Lib/ZLib.cpp b/LZMA/lzmalib/C/7zip/Compress/LZMA_Lib/ZLib.cpp
@@ -373,9 +373,16 @@ extern "C" int lzmawrt_uncompress OF((Bytef *dest,   uLongf *destLen,
      * CJH: DD-WRT encodes the LZMA properties into the beginning of each compressed block.
      *      Sanity check these values to prevent errors in the LZMA library.
      */
+    if((unsigned int) source[1] == 0 &&
+       (unsigned int) source[2] == 0 &&
+       (unsigned int) source[0] == 0)
+    {
+        return Z_DATA_ERROR;
+    }
     if((unsigned int) source[1] > 4 ||
        (unsigned int) source[2] > 4 ||
-       (unsigned int) source[0] > 8)
+       (unsigned int) source[0] > 4 ||
+       ((unsigned int) source[1] + (unsigned int) source[2]) > 4)
     {
         return Z_DATA_ERROR;
     }

diff --git a/compressor.c b/compressor.c
@@ -80,16 +80,10 @@ static struct compressor unknown_comp_ops = {
 struct compressor *compressor[] = {
 	&gzip_comp_ops,
 	&lzma_comp_ops,
-    /*
-     * CJH: Added additional LZMA decompressors.
-     *      Try DD-WRT first, as adaptive will only
-     *      work for the first block on DD-WRT images.
-     *      Try brcm last of all the lzma's since it
-     *      has segfaulted on me before...
-     */
+    // CJH: Added additional LZMA decompressors.
+    &lzma_brcm_comp_ops,
     &lzma_wrt_comp_ops,
     &lzma_adaptive_comp_ops,
-    &lzma_brcm_comp_ops,
 	&lzo_comp_ops,
 	&lz4_comp_ops,
 	&xz_comp_ops,