From 222ead54f4d32b6ab39cebcd28f17f9b1f277f4f Mon Sep 17 00:00:00 2001
From: Vitalii Sheludchenkov <vitalii.sheludchenkov@nordsec.com>
Date: Thu, 27 Mar 2025 15:07:52 +0100
Subject: [PATCH 1/2] fixed memory leak on malformed xz archive parsing

---
 C/XzIn.c | 20 +++++++++++++++++++-
 1 file changed, 19 insertions(+), 1 deletion(-)

diff --git a/C/XzIn.c b/C/XzIn.c
index b68af965c..d73b1f7ea 100644
--- a/C/XzIn.c
+++ b/C/XzIn.c
@@ -117,20 +117,38 @@ static SRes Xz_ReadIndex2(CXzStream *p, const Byte *buf, size_t size, ISzAllocPt
     p->numBlocks = numBlocks;
     p->blocks = (CXzBlockSizes *)ISzAlloc_Alloc(alloc, sizeof(CXzBlockSizes) * numBlocks);
     if (!p->blocks)
+    {
+      Xz_Free(p, alloc);
       return SZ_ERROR_MEM;
+    }
     for (i = 0; i < numBlocks; i++)
     {
       CXzBlockSizes *block = &p->blocks[i];
       READ_VARINT_AND_CHECK(buf, pos, size, &block->totalSize)
       READ_VARINT_AND_CHECK(buf, pos, size, &block->unpackSize)
       if (block->totalSize == 0)
+      {
+        Xz_Free(p, alloc);
         return SZ_ERROR_ARCHIVE;
+      }
     }
   }
   while ((pos & 3) != 0)
+  {
     if (buf[pos++] != 0)
+    {
+      Xz_Free(p, alloc);
       return SZ_ERROR_ARCHIVE;
-  return (pos == size) ? SZ_OK : SZ_ERROR_ARCHIVE;
+    }
+  }
+
+  if (pos != size)
+  {
+    Xz_Free(p, alloc);
+    return SZ_ERROR_ARCHIVE;
+  }
+  
+  return SZ_OK;
 }
 
 static SRes Xz_ReadIndex(CXzStream *p, ILookInStreamPtr stream, UInt64 indexSize, ISzAllocPtr alloc)

From 9420d7d950036c3fde037dd4071f2a5bb6daba04 Mon Sep 17 00:00:00 2001
From: Vitalii Sheludchenkov <vitalii.sheludchenkov@nordsec.com>
Date: Thu, 27 Mar 2025 15:11:30 +0100
Subject: [PATCH 2/2] removed redundant free call

---
 C/XzIn.c | 6 ++----
 1 file changed, 2 insertions(+), 4 deletions(-)

diff --git a/C/XzIn.c b/C/XzIn.c
index d73b1f7ea..46eb2fce0 100644
--- a/C/XzIn.c
+++ b/C/XzIn.c
@@ -117,10 +117,8 @@ static SRes Xz_ReadIndex2(CXzStream *p, const Byte *buf, size_t size, ISzAllocPt
     p->numBlocks = numBlocks;
     p->blocks = (CXzBlockSizes *)ISzAlloc_Alloc(alloc, sizeof(CXzBlockSizes) * numBlocks);
     if (!p->blocks)
-    {
-      Xz_Free(p, alloc);
       return SZ_ERROR_MEM;
-    }
+
     for (i = 0; i < numBlocks; i++)
     {
       CXzBlockSizes *block = &p->blocks[i];
@@ -147,7 +145,7 @@ static SRes Xz_ReadIndex2(CXzStream *p, const Byte *buf, size_t size, ISzAllocPt
     Xz_Free(p, alloc);
     return SZ_ERROR_ARCHIVE;
   }
-  
+
   return SZ_OK;
 }