From 2240fbf5912054af025fb6e01e26375100275e74 Mon Sep 17 00:00:00 2001

From: Nick Wellnhofer <wellnhofer@aevum.de>

Date: Mon, 30 Jul 2018 13:14:11 +0200

Subject: [PATCH] Fix infinite loop in LZMA decompression

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

Check the liblzma error code more thoroughly to avoid infinite loops.

Closes: https://gitlab.gnome.org/GNOME/libxml2/issues/13

Closes: https://bugzilla.gnome.org/show_bug.cgi?id=794914

This is CVE-2018-9251 and CVE-2018-14567.

Thanks to Dongliang Mu and Simon Wörner for the reports.

---

 xzlib.c | 9 +++++++++

 1 file changed, 9 insertions(+)

diff --git a/xzlib.c b/xzlib.c

index a839169e..0ba88cfa 100644

--- a/xzlib.c

+++ b/xzlib.c

@@ -562,6 +562,10 @@ xz_decomp(xz_statep state)

                          "internal error: inflate stream corrupt");

                 return -1;

             }

+            /*

+             * FIXME: Remapping a couple of error codes and falling through

+             * to the LZMA error handling looks fragile.

+             */

             if (ret == Z_MEM_ERROR)

                 ret = LZMA_MEM_ERROR;

             if (ret == Z_DATA_ERROR)

@@ -587,6 +591,11 @@ xz_decomp(xz_statep state)

             xz_error(state, LZMA_PROG_ERROR, "compression error");

             return -1;

         }

+        if ((state->how != GZIP) &&

+            (ret != LZMA_OK) && (ret != LZMA_STREAM_END)) {

+            xz_error(state, ret, "lzma error");

+            return -1;

+        }

     } while (strm->avail_out && ret != LZMA_STREAM_END);

     /* update available output and crc check value */

-- 

2.22.0