Bug 599 - busybox applet unlzma crashes
Summary: busybox applet unlzma crashes
Status: RESOLVED FIXED
Alias: None
Product: Busybox
Classification: Unclassified
Component: Other (show other bugs)
Version: unspecified
Hardware: PC Linux
: P5 normal
Target Milestone: ---
Assignee: unassigned
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2009-09-06 10:42 UTC by Oliver Metz
Modified: 2009-09-20 18:19 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:

Attachments
.config (26.62 KB, text/plain)
2009-09-06 11:27 UTC, Oliver Metz 		Details
decompress_unlzma.s (59.21 KB, text/plain)
2009-09-06 11:29 UTC, Oliver Metz 		Details
decompress_unlzma.i (34.58 KB, application/x-zip-compressed)
2009-09-06 11:30 UTC, Oliver Metz 		Details
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Oliver Metz 2009-09-06 10:42:00 UTC 
This changeset (http://git.busybox.net/busybox/commit/?id=9ac3dc764a78b51fe8fdcd1b4682850de098733b) breaks bb unlzma applet for me.

busybox-1.15.0
Linux ubuntu 2.6.28-15-server #49-Ubuntu SMP Tue Aug 18 20:09:37 UTC 2009 x86_64 GNU/Linux


I get the following gdb output:
(gdb) run unlzma dl/gcc-3.4.6-freetz-0.3.tar.lzma
Starting program: /home/oliver/fritzbox/freetz/trunk-test/tools/busybox unlzma dl/gcc-3.4.6-freetz-0.3.tar.lzma

Program received signal SIGSEGV, Segmentation fault.
0x00000000004883ba in rc_is_bit_1 (rc=0x1ea5290, p=0x201ea1972) at archival/libunarchive/decompress_unlzma.c:108
108             rc->bound = *p * (rc->range >> RC_MODEL_TOTAL_BITS);
(gdb) backtrace
#0  0x00000000004883ba in rc_is_bit_1 (rc=0x1ea5290, p=0x201ea1972) at archival/libunarchive/decompress_unlzma.c:108
#1  0x00000000004885c5 in rc_get_bit (rc=0x1ea5290, p=0x201ea1972, symbol=0x7fff25e3e1e4) at archival/libunarchive/decompress_unlzma.c:123
#2  0x0000000000488121 in unpack_lzma_stream (src_fd=0, dst_fd=1) at archival/libunarchive/decompress_unlzma.c:423
#3  0x0000000000484539 in unpack_unlzma (info=0x7fff25e3e300) at archival/bbunzip.c:330
#4  0x0000000000484373 in bbunpack (argv=0x7fff25e3e528, make_new_name=0x484507 <make_new_name_unlzma>, unpacker=0x484522 <unpack_unlzma>)
    at archival/bbunzip.c:98
#5  0x00000000004845a5 in unlzma_main (argc=2, argv=0x7fff25e3e528) at archival/bbunzip.c:342
#6  0x0000000000480d0c in run_applet_no_and_exit (applet_no=6, argv=0x7fff25e3e520) at libbb/appletlib.c:741
#7  0x0000000000480d44 in run_applet_and_exit (name=0x7fff25e3e921 "unlzma", argv=0x7fff25e3e520) at libbb/appletlib.c:748
#8  0x0000000000480c57 in busybox_main (argv=0x7fff25e3e520) at libbb/appletlib.c:713
#9  0x0000000000480d66 in run_applet_and_exit (name=0x7fff25e3e919 "busybox", argv=0x7fff25e3e518) at libbb/appletlib.c:750
#10 0x0000000000480de1 in main (argc=3, argv=0x7fff25e3e518) at libbb/appletlib.c:785
(gdb) print *p
Cannot access memory at address 0x201ea1972
(gdb)

The lzma file can be found here: http://freetz.magenbrot.net/gcc-3.4.6-freetz-0.3.tar.lzma

Anything more I can attach?
Comment 1 Denys Vlasenko 2009-09-06 11:03:58 UTC 
Can you attach your .config and results of

make archival/libunarchive/decompress_unlzma.i

and 

make archival/libunarchive/decompress_unlzma.s

commands?
Comment 2 Oliver Metz 2009-09-06 11:27:54 UTC 
Created attachment 633 [details]
.config
Comment 3 Oliver Metz 2009-09-06 11:29:17 UTC 
Created attachment 635 [details]
decompress_unlzma.s
Comment 4 Oliver Metz 2009-09-06 11:30:26 UTC 
Created attachment 637 [details]
decompress_unlzma.i
Comment 5 Oliver Metz 2009-09-06 11:32:00 UTC 
I attached the requested files. The crash occurs with and without LZMA_FAST.
Comment 6 Denys Vlasenko 2009-09-06 13:07:20 UTC 
Reproduced on x86_64 machine:

# ./busybox unlzma <gcc-3.4.6-freetz-0.3.tar.lzma >gcc-3.4.6-freetz-0.3.tar; echo $?
/bin/bash: line 1:  8183 Segmentation fault      (core dumped) ./busybox unlzma < gcc-3.4.6-freetz-0.3.tar.lzma > gcc-3.4.6-freetz-0.3.tar
139

Works on 32-bit x86.
Comment 7 Denys Vlasenko 2009-09-12 20:41:00 UTC 
The offending patch is reverted from trunk and from 1.15.x branch
Comment 8 Denys Vlasenko 2009-09-20 18:19:12 UTC 
Fixed patch was re-applied to git and tested.