liblzma: lzma_index_append: Add missing integer overflow check.

The documentation in src/liblzma/api/lzma/index.h suggests that both the unpadded (compressed) size and the uncompressed size are checked for overflow, but only the unpadded size was checked. The uncompressed check is done first since that is more likely to occur than the unpadded or index field size overflows.
author: Jia Tan <jiat0218@gmail.com> 2022-09-02 20:18:55 +0800
committer: Lasse Collin <lasse.collin@tukaani.org> 2022-09-08 15:19:19 +0300
commit: 18d7facd3802b55c287581405c4d49c98708c136 (patch)
tree: 45b8579968c5054459312a9797fc1d459f535b80
parent: Update THANKS. (diff)
download: xz-18d7facd3802b55c287581405c4d49c98708c136.tar.xz
1 files changed, 4 insertions, 0 deletions
diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
index 86c10544..010e1f80 100644
--- a/src/liblzma/common/index.c
+++ b/src/liblzma/common/index.c
@@ -656,6 +656,10 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
 	const uint32_t index_list_size_add = lzma_vli_size(unpadded_size)
 			+ lzma_vli_size(uncompressed_size);
 
+	// Check that uncompressed size will not overflow.
+	if (uncompressed_base + uncompressed_size > LZMA_VLI_MAX)
+		return LZMA_DATA_ERROR;
+
 	// Check that the file size will stay within limits.
 	if (index_file_size(s->node.compressed_base,
 			compressed_base + unpadded_size, s->record_count + 1,
author	Jia Tan <jiat0218@gmail.com>	2022-09-02 20:18:55 +0800
committer	Lasse Collin <lasse.collin@tukaani.org>	2022-09-08 15:19:19 +0300
commit	18d7facd3802b55c287581405c4d49c98708c136 (patch)
tree	45b8579968c5054459312a9797fc1d459f535b80
parent	Update THANKS. (diff)
download	xz-18d7facd3802b55c287581405c4d49c98708c136.tar.xz