From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Mon, 16 Sep 2024 21:19:46 +0000 (+0200)
Subject: lzmainfo: Avoid integer overflow
X-Git-Tag: v5.7.1alpha~110
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=76cfd0a9bb33ae8e534b1f73f6359dc825589f2f;p=thirdparty%2Fxz.git

lzmainfo: Avoid integer overflow

The MB output can overflow with huge numbers. Most likely these are
invalid .lzma files anyway, but let's avoid garbage output.

lzmadec was adapted from LZMA Utils. The original code with this bug
was written in 2005, over 19 years ago.

Co-authored-by: Lasse Collin <lasse.collin@tukaani.org>
Closes: https://github.com/tukaani-project/xz/pull/144
---

diff --git a/src/lzmainfo/lzmainfo.c b/src/lzmainfo/lzmainfo.c
index 2550b1f1..d917f371 100644
--- a/src/lzmainfo/lzmainfo.c
+++ b/src/lzmainfo/lzmainfo.c
@@ -149,8 +149,7 @@ lzmainfo(const char *name, FILE *f)
 		printf("Unknown");
 	else
 		printf("%" PRIu64 " MB (%" PRIu64 " bytes)",
-				(uncompressed_size + 512 * 1024)
-					/ (1024 * 1024),
+				(uncompressed_size / 1024 + 512) / 1024,
 				uncompressed_size);
 
 	lzma_options_lzma *opt = filter.options;
@@ -160,7 +159,7 @@ lzmainfo(const char *name, FILE *f)
 			"Literal context bits (lc):     %" PRIu32 "\n"
 			"Literal pos bits (lp):         %" PRIu32 "\n"
 			"Number of pos bits (pb):       %" PRIu32 "\n",
-			(opt->dict_size + 512 * 1024) / (1024 * 1024),
+			(opt->dict_size / 1024 + 512) / 1024,
 			my_log2(opt->dict_size), opt->lc, opt->lp, opt->pb);
 
 	free(opt);