Bug 599

Summary: busybox applet unlzma crashes
Product: Busybox Reporter: Oliver Metz <oliver.metz>
Component: OtherAssignee: unassigned
Status: RESOLVED FIXED    
Severity: normal CC: busybox-cvs
Priority: P5    
Version: unspecified   
Target Milestone: ---   
Hardware: PC   
OS: Linux   
Host: Target:
Build:
Attachments: .config
decompress_unlzma.s
decompress_unlzma.i

Description Oliver Metz 2009-09-06 10:42:00 UTC 
This changeset (http://git.busybox.net/busybox/commit/?id=9ac3dc764a78b51fe8fdcd1b4682850de098733b) breaks bb unlzma applet for me.

busybox-1.15.0
Linux ubuntu 2.6.28-15-server #49-Ubuntu SMP Tue Aug 18 20:09:37 UTC 2009 x86_64 GNU/Linux


I get the following gdb output:
(gdb) run unlzma dl/gcc-3.4.6-freetz-0.3.tar.lzma
Starting program: /home/oliver/fritzbox/freetz/trunk-test/tools/busybox unlzma dl/gcc-3.4.6-freetz-0.3.tar.lzma

Program received signal SIGSEGV, Segmentation fault.
0x00000000004883ba in rc_is_bit_1 (rc=0x1ea5290, p=0x201ea1972) at archival/libunarchive/decompress_unlzma.c:108
108             rc->bound = *p * (rc->range >> RC_MODEL_TOTAL_BITS);
(gdb) backtrace
#0  0x00000000004883ba in rc_is_bit_1 (rc=0x1ea5290, p=0x201ea1972) at archival/libunarchive/decompress_unlzma.c:108
#1  0x00000000004885c5 in rc_get_bit (rc=0x1ea5290, p=0x201ea1972, symbol=0x7fff25e3e1e4) at archival/libunarchive/decompress_unlzma.c:123
#2  0x0000000000488121 in unpack_lzma_stream (src_fd=0, dst_fd=1) at archival/libunarchive/decompress_unlzma.c:423
#3  0x0000000000484539 in unpack_unlzma (info=0x7fff25e3e300) at archival/bbunzip.c:330
#4  0x0000000000484373 in bbunpack (argv=0x7fff25e3e528, make_new_name=0x484507 <make_new_name_unlzma>, unpacker=0x484522 <unpack_unlzma>)
    at archival/bbunzip.c:98
#5  0x00000000004845a5 in unlzma_main (argc=2, argv=0x7fff25e3e528) at archival/bbunzip.c:342
#6  0x0000000000480d0c in run_applet_no_and_exit (applet_no=6, argv=0x7fff25e3e520) at libbb/appletlib.c:741
#7  0x0000000000480d44 in run_applet_and_exit (name=0x7fff25e3e921 "unlzma", argv=0x7fff25e3e520) at libbb/appletlib.c:748
#8  0x0000000000480c57 in busybox_main (argv=0x7fff25e3e520) at libbb/appletlib.c:713
#9  0x0000000000480d66 in run_applet_and_exit (name=0x7fff25e3e919 "busybox", argv=0x7fff25e3e518) at libbb/appletlib.c:750
#10 0x0000000000480de1 in main (argc=3, argv=0x7fff25e3e518) at libbb/appletlib.c:785
(gdb) print *p
Cannot access memory at address 0x201ea1972
(gdb)

The lzma file can be found here: http://freetz.magenbrot.net/gcc-3.4.6-freetz-0.3.tar.lzma

Anything more I can attach?
Comment 1 Denys Vlasenko 2009-09-06 11:03:58 UTC 
Can you attach your .config and results of

make archival/libunarchive/decompress_unlzma.i

and 

make archival/libunarchive/decompress_unlzma.s

commands?
Comment 2 Oliver Metz 2009-09-06 11:27:54 UTC 
Created attachment 633 [details]
.config
Comment 3 Oliver Metz 2009-09-06 11:29:17 UTC 
Created attachment 635 [details]
decompress_unlzma.s
Comment 4 Oliver Metz 2009-09-06 11:30:26 UTC 
Created attachment 637 [details]
decompress_unlzma.i
Comment 5 Oliver Metz 2009-09-06 11:32:00 UTC 
I attached the requested files. The crash occurs with and without LZMA_FAST.
Comment 6 Denys Vlasenko 2009-09-06 13:07:20 UTC 
Reproduced on x86_64 machine:

# ./busybox unlzma <gcc-3.4.6-freetz-0.3.tar.lzma >gcc-3.4.6-freetz-0.3.tar; echo $?
/bin/bash: line 1:  8183 Segmentation fault      (core dumped) ./busybox unlzma < gcc-3.4.6-freetz-0.3.tar.lzma > gcc-3.4.6-freetz-0.3.tar
139

Works on 32-bit x86.
Comment 7 Denys Vlasenko 2009-09-12 20:41:00 UTC 
The offending patch is reverted from trunk and from 1.15.x branch
Comment 8 Denys Vlasenko 2009-09-20 18:19:12 UTC 
Fixed patch was re-applied to git and tested.