From: Manuel Novoa III Date: Tue, 1 Mar 2005 19:29:29 +0000 (-0000) Subject: When filling the bit buffer, gzip decompression apparently never checked for end... X-Git-Tag: 1_1_0~1095 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=0d8c652c46e49e71bbc93e405252ea87cfbe6c89;p=oweals%2Fbusybox.git When filling the bit buffer, gzip decompression apparently never checked for end of file, causing it to hang on corrupted input. --- diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c index e8cf54bff..b17065d92 100644 --- a/archival/libunarchive/decompress_unzip.c +++ b/archival/libunarchive/decompress_unzip.c @@ -151,7 +151,10 @@ static unsigned int fill_bitbuffer(unsigned int bitbuffer, unsigned int *current /* Leave the first 4 bytes empty so we can always unwind the bitbuffer * to the front of the bytebuffer, leave 4 bytes free at end of tail * so we can easily top up buffer in check_trailer_gzip() */ - bytebuffer_size = 4 + bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8); + if (!(bytebuffer_size = bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8))) { + bb_error_msg_and_die("unexpected end of file"); + } + bytebuffer_size += 4; bytebuffer_offset = 4; } bitbuffer |= ((unsigned int) bytebuffer[bytebuffer_offset]) << *current;