liblzma: Add overflow check for Unpadded size in lzma_index_append().

(cherry picked from commit b44a328456225b234546d96eaa5899a10251c76f)

backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch

@@ -0,0 +1,60 @@
+From 68bda971bb8b666a009331455fcedb4e18d837a4  Mon Sep 17 00:00:00 2001
+From: Jia Tan <jiat0218@gmail.com>
+Date: Mon, 28 Aug 2023 21:31:25 +0800
+Subject: [PATCH] liblzma: Add overflow check for Unpadded size in
+ lzma_index_append().
+
+This was not a security bug since there was no path to overflow
+UINT64_MAX in lzma_index_append() or when it calls index_file_size().
+The bug was discovered by a failing assert() in vli_ceil4() when called
+from index_file_size() when unpadded_sum (the sum of the compressed size
+of current Stream and the unpadded_size parameter) exceeds LZMA_VLI_MAX.
+
+Previously, the unpadded_size parameter was checked to be not greater
+than UNPADDED_SIZE_MAX, but no check was done once compressed_base was
+added.
+
+This could not have caused an integer overflow in index_file_size() when
+called by lzma_index_append(). The calculation for file_size breaks down
+into the sum of:
+
+- Compressed base from all previous Streams
+- 2 * LZMA_STREAM_HEADER_SIZE (size of the current Streams header and
+  footer)
+- stream_padding (can be set by lzma_index_stream_padding())
+- Compressed base from the current Stream
+- Unpadded size (parameter to lzma_index_append())
+
+The sum of everything except for Unpadded size must be less than
+LZMA_VLI_MAX. This is guarenteed by overflow checks in the functions
+that can set these values including lzma_index_stream_padding(),
+lzma_index_append(), and lzma_index_cat(). The maximum value for
+Unpadded size is enforced by lzma_index_append() to be less than or
+equal UNPADDED_SIZE_MAX. Thus, the sum cannot exceed UINT64_MAX since
+LZMA_VLI_MAX is half of UINT64_MAX.
+
+Thanks to Joona Kannisto for reporting this.
+---
+ src/liblzma/common/index.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/liblzma/common/index.c b/src/liblzma/common/index.c
+index a41e8f3..8c8ad46 100644
+--- a/src/liblzma/common/index.c
++++ b/src/liblzma/common/index.c
+@@ -656,6 +656,12 @@ lzma_index_append(lzma_index *i, const lzma_allocator *allocator,
+ 	const uint32_t index_list_size_add = lzma_vli_size(unpadded_size)
+ 			+ lzma_vli_size(uncompressed_size);
+ 
++	// Check that the new unpadded sum will not overflow. This is
++	// checked again in index_file_size(), but the unpadded sum is
++	// passed to vli_ceil4() which expects a valid lzma_vli value.
++	if (compressed_base + unpadded_size > UNPADDED_SIZE_MAX)
++		return LZMA_DATA_ERROR;
++
+ 	// Check that the file size will stay within limits.
+ 	if (index_file_size(s->node.compressed_base,
+ 			compressed_base + unpadded_size, s->record_count + 1,
+-- 
+2.23.0
+

xz.spec

@@ -1,6 +1,6 @@
 Name:           xz
 Version:        5.2.5
-Release:        3
+Release:        4
 Summary:        A free general-purpose data compreession software with LZMA2 algorithm
 License:        Public Domain, LGPLv2.1 and GPLv2+
 URL:            http://tukaani.org/xz
@@ -9,6 +9,7 @@ Source1:        colorxzgrep.sh
 Source2:        colorxzgrep.csh
 
 Patch6000:      backport-CVE-2022-1271.patch
+Patch6001:      backport-liblzma-Add-overflow-check-for-Unpadded-size-in-lzma.patch
 
 BuildRequires:  perl-interpreter gcc
 
@@ -111,6 +112,12 @@ LD_LIBRARY_PATH=$PWD/src/liblzma/.libs make check
 %{_mandir}/de/man1/*xz*
 
 %changelog
+* Wed May 22 2024 kouwenqi <kouwenqi@kylinos.cn> - 5.2.5-4
+- Type:enhancement
+- CVE:NA
+- SUG:NA
+- DESC:Add overflow check for Unpadded size in lzma_index_append
+
 * Fri Sep 23 2022 wangjiang <wangjiang37@h-partners.com> - 5.2.5-3
 - Type:enhancement
 - CVE:NA