| Summary: | Gzip decompression, erroneous "corrupted data" when extra field length > 16384 bytes, patch included. | ||
|---|---|---|---|
| Product: | Busybox | Reporter: | Lo2 <busybox.dev> |
| Component: | Standard Compliance | Assignee: | unassigned |
| Status: | NEW --- | ||
| Severity: | normal | CC: | busybox-cvs |
| Priority: | P5 | ||
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | All | ||
| Host: | Target: | ||
| Build: | |||
| Attachments: | busybox_gzip_extra_field.tar.gz | ||
Created attachment 8461 [details] busybox_gzip_extra_field.tar.gz The gzip specificiation allows for an extra field of max size 65535 (0xFFFF) bytes. Howevery, when a gzip file contains an extra field of more than 16384 (0x4000), the decompression erroneously fails with an error message "corrupted data". In archival/libarchive/decompress_gunzip.c, the code that checks the gzip header does not check that the extra field length might be over bytebuffer_max. When that's the case, the top_up(extra field length) function call fails, and the header check fails. The included file contains: - The patch that fixes the issue - Two gzip files, one that triggers the error, and one that does not. All these files have no right reserved, and can therefore conform to the relevant licenses of this project.