`lzma._decode_filter_properties` crashes with BCJ filter and buffer of zero length

[chgnrdv]

Example:

>>> import lzma
>>> lzma._decode_filter_properties(lzma.FILTER_X86, b"")
Segmentation fault (core dumped)

In _lzma__decode_filter_properties_impl call to lzma_properties_decode returns LZMA_OK and leaves filter.options intact (that is uninitialized) if filter.id is id of a BCJ filter (FILTER_X86, FILTER_POWERPC, FILTER_IA64, FILTER_ARM, FILTER_ARMTHUMB, FILTER_SPARC) and encoded_props->len is equal to zero.

cpython/Modules/_lzmamodule.c

Lines 1487 to 1495 in 01cc9c1

	lzret = lzma_properties_decode(
	&filter, NULL, encoded_props->buf, encoded_props->len);
	if (catch_lzma_error(state, lzret)) {
	return NULL;
	}
	result = build_filter_spec(&filter);

Then, in build_filter_spec, access to f->options->start_offset leads to segmentation fault:

cpython/Modules/_lzmamodule.c

Lines 489 to 499 in 01cc9c1

	}
	case LZMA_FILTER_X86:
	case LZMA_FILTER_POWERPC:
	case LZMA_FILTER_IA64:
	case LZMA_FILTER_ARM:
	case LZMA_FILTER_ARMTHUMB:
	case LZMA_FILTER_SPARC: {
	lzma_options_bcj *options = f->options;
	ADD_FIELD(options, start_offset);
	break;
	}

The PR is on the way.
3.9-3.12 are affected for sure.

Linked PRs

• gh-104282: Fix null pointer dereference in lzma._decode_filter_properties #104283
• [3.12] gh-104282: Fix null pointer dereference in lzma._decode_filter_properties (GH-104283) #114181
• [3.11] gh-104282: Fix null pointer dereference in lzma._decode_filter_properties (GH-104283) #114182

[vortex996]

same

[serhiy-storchaka]

The PR uses a solution that differs from your report. It tests that options is not NULL. And I tested that it is set to NULL if the memory was initialized by non-null values. So this is not a use of uninitialized value, but a null pointer dereference.

lzma._decode_filter_properties() is not used with BCJ filter in the stdlib, and it is a private function, so this crash does not affect common users. But for third-party projects it may be a security issue.