diff options
author | cperciva <cperciva@FreeBSD.org> | 2010-09-20 14:58:08 +0000 |
---|---|---|
committer | cperciva <cperciva@FreeBSD.org> | 2010-09-20 14:58:08 +0000 |
commit | 700331dbb17acf715d379e67690d036e84f8757d (patch) | |
tree | ba47197f062f10b562c453cb632d1fd32067d1ec /contrib/bzip2 | |
parent | 999124921a62d72f625cb9172911994f524abb1e (diff) | |
download | FreeBSD-src-700331dbb17acf715d379e67690d036e84f8757d.zip FreeBSD-src-700331dbb17acf715d379e67690d036e84f8757d.tar.gz |
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Approved by: so (cperciva)
Security: FreeBSD-SA-10:08.bzip2
Diffstat (limited to 'contrib/bzip2')
-rw-r--r-- | contrib/bzip2/decompress.c | 7 |
1 files changed, 7 insertions, 0 deletions
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c index bba5e0f..af1d4d0 100644 --- a/contrib/bzip2/decompress.c +++ b/contrib/bzip2/decompress.c @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; |