Fix an integer overflow in RLE length parsing when decompressing

corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
author: Colin Percival <cperciva@FreeBSD.org> 2010-09-20 14:58:08 +0000
committer: Colin Percival <cperciva@FreeBSD.org> 2010-09-20 14:58:08 +0000
commit: 66e576525d35c68fcb86f142ebaa5a448555c0c7 (patch)
tree: ba47197f062f10b562c453cb632d1fd32067d1ec /contrib/bzip2
parent: e43e02f1a443b3e3dde6876f034277892fae4d9d (diff)
download: src-test-66e576525d35c68fcb86f142ebaa5a448555c0c7.tar.gz
src-test-66e576525d35c68fcb86f142ebaa5a448555c0c7.zip
1 files changed, 7 insertions, 0 deletions
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c
index bba5e0fa36dcc..af1d4d09afb9c 100644
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;
author	Colin Percival <cperciva@FreeBSD.org>	2010-09-20 14:58:08 +0000
committer	Colin Percival <cperciva@FreeBSD.org>	2010-09-20 14:58:08 +0000
commit	66e576525d35c68fcb86f142ebaa5a448555c0c7 (patch)
tree	ba47197f062f10b562c453cb632d1fd32067d1ec /contrib/bzip2
parent	e43e02f1a443b3e3dde6876f034277892fae4d9d (diff)
download	src-test-66e576525d35c68fcb86f142ebaa5a448555c0c7.tar.gz src-test-66e576525d35c68fcb86f142ebaa5a448555c0c7.zip