svn commit: r212901 - head/contrib/bzip2 releng/6.4
releng/6.4/contrib/bzip2 releng/6.4/sys/conf releng/7.1
releng/7.1/contrib/bzip2 releng/7.1/sys/conf releng/7.3
releng/7.3/contrib/bzip2 releng/7...
Colin Percival
cperciva at FreeBSD.org
Mon Sep 20 14:58:08 UTC 2010
Author: cperciva
Date: Mon Sep 20 14:58:08 2010
New Revision: 212901
URL: http://svn.freebsd.org/changeset/base/212901
Log:
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Approved by: so (cperciva)
Security: FreeBSD-SA-10:08.bzip2
Modified:
stable/7/contrib/bzip2/decompress.c
Changes in other areas also in this revision:
Modified:
head/contrib/bzip2/decompress.c
releng/6.4/UPDATING
releng/6.4/contrib/bzip2/decompress.c
releng/6.4/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/bzip2/decompress.c
releng/7.1/sys/conf/newvers.sh
releng/7.3/UPDATING
releng/7.3/contrib/bzip2/decompress.c
releng/7.3/sys/conf/newvers.sh
releng/8.0/UPDATING
releng/8.0/contrib/bzip2/decompress.c
releng/8.0/sys/conf/newvers.sh
releng/8.1/UPDATING
releng/8.1/contrib/bzip2/decompress.c
releng/8.1/sys/conf/newvers.sh
stable/6/contrib/bzip2/decompress.c
stable/8/contrib/bzip2/decompress.c
Modified: stable/7/contrib/bzip2/decompress.c
==============================================================================
--- stable/7/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900)
+++ stable/7/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
More information about the svn-src-stable-7
mailing list