Example:
>>> import lzma
>>> lzma._decode_filter_properties(lzma.FILTER_X86, b"")
Segmentation fault (core dumped)
In _lzma__decode_filter_properties_impl call to lzma_properties_decode returns LZMA_OK and leaves filter.options intact (that is uninitialized) if filter.id is id of a BCJ filter (FILTER_X86, FILTER_POWERPC, FILTER_IA64, FILTER_ARM, FILTER_ARMTHUMB, FILTER_SPARC) and encoded_props->len is equal to zero.
|
|
|
lzret = lzma_properties_decode( |
|
&filter, NULL, encoded_props->buf, encoded_props->len); |
|
if (catch_lzma_error(state, lzret)) { |
|
return NULL; |
|
} |
|
|
|
result = build_filter_spec(&filter); |
|
|
Then, in build_filter_spec, access to f->options->start_offset leads to segmentation fault:
|
} |
|
case LZMA_FILTER_X86: |
|
case LZMA_FILTER_POWERPC: |
|
case LZMA_FILTER_IA64: |
|
case LZMA_FILTER_ARM: |
|
case LZMA_FILTER_ARMTHUMB: |
|
case LZMA_FILTER_SPARC: { |
|
lzma_options_bcj *options = f->options; |
|
ADD_FIELD(options, start_offset); |
|
break; |
|
} |
The PR is on the way.
3.9-3.12 are affected for sure.
Linked PRs
Example:
In
_lzma__decode_filter_properties_implcall tolzma_properties_decodereturnsLZMA_OKand leavesfilter.optionsintact (that is uninitialized) iffilter.idis id of a BCJ filter (FILTER_X86, FILTER_POWERPC, FILTER_IA64, FILTER_ARM, FILTER_ARMTHUMB, FILTER_SPARC) andencoded_props->lenis equal to zero.cpython/Modules/_lzmamodule.c
Lines 1487 to 1495 in 01cc9c1
Then, in
build_filter_spec, access tof->options->start_offsetleads to segmentation fault:cpython/Modules/_lzmamodule.c
Lines 489 to 499 in 01cc9c1
The PR is on the way.
3.9-3.12 are affected for sure.
Linked PRs
lzma._decode_filter_properties#104283lzma._decode_filter_properties(GH-104283) #114181lzma._decode_filter_properties(GH-104283) #114182