From e970c28ac3cb2e8051925f81db2fe953664c2645 Mon Sep 17 00:00:00 2001 From: Jia Tan Date: Fri, 3 Feb 2023 00:33:32 +0800 Subject: [PATCH] liblzma: Fix bug in lzma_str_from_filters() not checking filters[] length. The bug is only a problem in applications that do not properly terminate the filters[] array with LZMA_VLI_UNKNOWN or have more than LZMA_FILTERS_MAX filters. This bug does not affect xz. --- src/liblzma/common/string_conversion.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/src/liblzma/common/string_conversion.c b/src/liblzma/common/string_conversion.c index d5e2cd77..0d09053f 100644 --- a/src/liblzma/common/string_conversion.c +++ b/src/liblzma/common/string_conversion.c @@ -1131,6 +1131,13 @@ lzma_str_from_filters(char **output_str, const lzma_filter *filters, const char *opt_delim = (flags & LZMA_STR_GETOPT_LONG) ? "=" : ":"; for (size_t i = 0; filters[i].id != LZMA_VLI_UNKNOWN; ++i) { + // If we reach LZMA_FILTERS_MAX, then the filters array + // is too large since the ID cannot be LZMA_VLI_UNKNOWN here. + if (i == LZMA_FILTERS_MAX) { + str_free(&dest, allocator); + return LZMA_OPTIONS_ERROR; + } + // Don't add a space between filters if the caller // doesn't want them. if (i > 0 && !(flags & LZMA_STR_NO_SPACES))