# HG changeset patch # User Pascal Bellard # Date 1208940362 0 # Node ID 83af6305cb3373ff0d18df526c01ee37d2934d8d # Parent fb8167e6c7f520d45ef695a193525af08ec9fffe linux & busybox: memory leak in unlzma diff -r fb8167e6c7f5 -r 83af6305cb33 busybox/receipt --- a/busybox/receipt Wed Apr 23 01:14:59 2008 +0200 +++ b/busybox/receipt Wed Apr 23 08:46:02 2008 +0000 @@ -21,6 +21,7 @@ patch -p1 < ../stuff/$PACKAGE-$VERSION-dhcpc.u patch -p1 < ../stuff/$PACKAGE-$VERSION-cpio-mkdir.u patch -p1 < ../stuff/$PACKAGE-$VERSION-cpio-mtime.u + patch -p1 < ../stuff/$PACKAGE-$VERSION-unlzma.u cp ../stuff/$PACKAGE-$VERSION.config .config make oldconfig make && make install diff -r fb8167e6c7f5 -r 83af6305cb33 busybox/stuff/busybox-1.10.1-unlzma.u --- /dev/null Thu Jan 01 00:00:00 1970 +0000 +++ b/busybox/stuff/busybox-1.10.1-unlzma.u Wed Apr 23 08:46:02 2008 +0000 @@ -0,0 +1,23 @@ +--- busybox-1.10.1/archival/libunarchive/decompress_unlzma.c ++++ busybox-1.10.1/archival/libunarchive/decompress_unlzma.c +@@ -491,10 +491,16 @@ + + if (full_write(dst_fd, buffer, buffer_pos) != buffer_pos) { + bad: ++ len = -1; ++ } ++ else { ++ USE_DESKTOP(total_written += buffer_pos;) ++ len = USE_DESKTOP(total_written) + 0; ++ } ++ if (ENABLE_FEATURE_CLEAN_UP) { + rc_free(rc); +- return -1; ++ free(buffer); ++ free(p); + } +- rc_free(rc); +- USE_DESKTOP(total_written += buffer_pos;) +- return USE_DESKTOP(total_written) + 0; ++ return len; + } diff -r fb8167e6c7f5 -r 83af6305cb33 linux/stuff/linux-lzma-2.6.24.2.u --- a/linux/stuff/linux-lzma-2.6.24.2.u Wed Apr 23 01:14:59 2008 +0200 +++ b/linux/stuff/linux-lzma-2.6.24.2.u Wed Apr 23 08:46:02 2008 +0000 @@ -1624,7 +1624,7 @@ --- linux-2.6.24.2/lib/decompress_unlzma.c +++ linux-2.6.24.2/lib/decompress_unlzma.c -@@ -0,0 +1,605 @@ +@@ -0,0 +1,601 @@ +/* Lzma decompressor for Linux kernel. Shamelessly snarfed + * from busybox 1.1.1 + * @@ -2050,20 +2050,20 @@ + prob_lit = prob + mi; + rc_get_bit(&rc, prob_lit, &mi); + } ++ if (state < 4) ++ state = 0; ++ else if (state < 10) ++ state -= 3; ++ else ++ state -= 6; + previous_byte = (uint8_t) mi; -+ ++ one_byte: + buffer[buffer_pos++] = previous_byte; + if (buffer_pos == header.dict_size) { + buffer_pos = 0; + global_pos += header.dict_size; + writebb((char*)buffer, header.dict_size); + } -+ if (state < 4) -+ state = 0; -+ else if (state < 10) -+ state -= 3; -+ else -+ state -= 6; + } else { + int offset; + uint16_t *prob_len; @@ -2095,13 +2095,7 @@ + goto fail; + } + previous_byte = buffer[pos]; -+ buffer[buffer_pos++] = previous_byte; -+ if (buffer_pos == header.dict_size) { -+ buffer_pos = 0; -+ global_pos += header.dict_size; -+ writebb((char*)buffer, header.dict_size); -+ } -+ continue; ++ goto one_byte; + } else { + rc_update_bit_1(&rc, prob); + } @@ -2225,9 +2219,11 @@ + *posp = rc.ptr-rc.buffer; + } + large_free(buffer); ++ large_free(p); + return 0; + fail: + large_free(buffer); ++ large_free(p); + return -1; +}