Issue 719: Refuse to allocate a too-small PPMD7 context

Other parts of the PPMD7 code assume that the dictionary is at least UNIT_SIZE (12 bytes). Enforce that assumption here to avoid potential buffer under- and over-runs. This was pointed out in a review of the original fix for Issue 719.
libarchive · Jun 19, 2016 · 5e29e82 · 5e29e82
1 parent 603454e
commit 5e29e82
Showing 1 changed file with 5 additions and 0 deletions.
diff --git a/libarchive/archive_ppmd7.c b/libarchive/archive_ppmd7.c
@@ -126,6 +126,11 @@ static Bool Ppmd7_Alloc(CPpmd7 *p, UInt32 size, ISzAlloc *alloc)
 {
   if (p->Base == 0 || p->Size != size)
   {
+    /* RestartModel() below assumes that p->Size >= UNIT_SIZE
+       (see the calculation of m->MinContext). */
+    if (size < UNIT_SIZE) {
+      return False;
+    }
     Ppmd7_Free(p, alloc);
     p->AlignOffset =
       #ifdef PPMD_32BIT