12896 – Gzip decompression, erroneous "corrupted data" when extra field length > 16384 bytes, patch included.

Bug 12896 - Gzip decompression, erroneous "corrupted data" when extra field length > 16384 bytes, patch included.

Summary: Gzip decompression, erroneous "corrupted data" when extra field length > 1638...

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Standard Compliance (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-12 17:10 UTC by Lo2
Modified:	2020-05-12 17:10 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
busybox_gzip_extra_field.tar.gz (1.15 KB, application/x-gzip) 2020-05-12 17:10 UTC, Lo2	Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Lo2 2020-05-12 17:10:56 UTC

Created attachment 8461 [details]
busybox_gzip_extra_field.tar.gz

The gzip specificiation allows for an extra field of max size 65535 (0xFFFF) bytes.

Howevery, when a gzip file contains an extra field of more than 16384 (0x4000), the decompression erroneously fails with an error message "corrupted data".

In archival/libarchive/decompress_gunzip.c, the code that checks the gzip header does not check that the extra field length might be over bytebuffer_max. When that's the case, the top_up(extra field length) function call fails, and the header check fails.

The included file contains:
  - The patch that fixes the issue
  - Two gzip files, one that triggers the error, and one that does not.

All these files have no right reserved, and can therefore conform to the relevant licenses of this project.