Fix for an integer overflow bug that could cause a segfault on certain
authorRob Landley <rob@landley.net>
Fri, 17 Feb 2006 05:19:40 +0000 (05:19 -0000)
committerRob Landley <rob@landley.net>
Fri, 17 Feb 2006 05:19:40 +0000 (05:19 -0000)
pathological archives.

(Unlikely to have security implications, the only way to trigger it basically
wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault.  The
test basically gives us a more polite error message.)

Thanks to Ned Ludd and the Gentoo security guys for finding this.

archival/libunarchive/decompress_bunzip2.c

index 34afd6f99c6c77768e3e223a47a4cecc5b699bdd..df6fa078fe2784ed22d2767cb209cf30961dfc14 100644 (file)
@@ -413,7 +413,7 @@ got_huff_bits:
                           context).  Thus space is saved. */
 
                        t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
-                       runPos <<= 1;
+                       if(runPos < dbufSize) runPos <<= 1;
                        goto end_of_huffman_loop;
                }