aboutsummaryrefslogtreecommitdiff
path: root/contrib/bzip2/decompress.c
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
committerColin Percival <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
commit0df48150179039ce25e09b48c85aa39bffdbb4c4 (patch)
tree33dc38da7e9481b1c30075c023dd26dbd26b6bdb /contrib/bzip2/decompress.c
parent0f14c153efe45f7c6dd98f0324f0e6882817c815 (diff)
downloadsrc-0df48150179039ce25e09b48c85aa39bffdbb4c4.tar.gz
src-0df48150179039ce25e09b48c85aa39bffdbb4c4.zip
Fix an integer overflow in RLE length parsing when decompressingreleng/6.4
corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
Notes
Notes: svn path=/releng/6.4/; revision=212901
Diffstat (limited to 'contrib/bzip2/decompress.c')
-rw-r--r--contrib/bzip2/decompress.c7
1 files changed, 7 insertions, 0 deletions
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c
index bba5e0fa36dc..af1d4d09afb9 100644
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;