When filling the bit buffer, gzip decompression apparently never checked for end...

diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c
index e8cf54bff5f0c712bc51f0a5b84ac7eec1c2b550..b17065d92d1d0ed353394b6d11f38c6d3d5859fc 100644 (file)
--- a/archival/libunarchive/decompress_unzip.c
+++ b/archival/libunarchive/decompress_unzip.c
@@ -151,7 +151,10 @@ static unsigned int fill_bitbuffer(unsigned int bitbuffer, unsigned int *current
                        /* Leave the first 4 bytes empty so we can always unwind the bitbuffer
                         * to the front of the bytebuffer, leave 4 bytes free at end of tail
                         * so we can easily top up buffer in check_trailer_gzip() */
-                       bytebuffer_size = 4 + bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8);
+                       if (!(bytebuffer_size = bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8))) {
+                               bb_error_msg_and_die("unexpected end of file");
+                       }
+                       bytebuffer_size += 4;
                        bytebuffer_offset = 4;
                }
                bitbuffer |= ((unsigned int) bytebuffer[bytebuffer_offset]) << *current;