summaryrefslogtreecommitdiffstats
path: root/contrib/bzip2
diff options
context:
space:
mode:
authorcperciva <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
committercperciva <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
commit700331dbb17acf715d379e67690d036e84f8757d (patch)
treeba47197f062f10b562c453cb632d1fd32067d1ec /contrib/bzip2
parent999124921a62d72f625cb9172911994f524abb1e (diff)
downloadFreeBSD-src-700331dbb17acf715d379e67690d036e84f8757d.zip
FreeBSD-src-700331dbb17acf715d379e67690d036e84f8757d.tar.gz
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
Diffstat (limited to 'contrib/bzip2')
-rw-r--r--contrib/bzip2/decompress.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c
index bba5e0f..af1d4d0 100644
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
OpenPOWER on IntegriCloud