Fix an integer overflow in RLE length parsing when decompressing

corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
svn path=/head/; revision=212901
2010-09-20 14:58:08 +00:00 · 2010-09-20 14:58:08 +00:00 · 66e576525d · 2020-12-20 02:59:44 +00:00
commit 66e576525d
parent e43e02f1a4
1 changed files with 7 additions and 0 deletions
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
            es = -1;
            N = 1;
            do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
               if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
               if (nextSym == BZ_RUNB) es = es + (1+1) * N;
               N = N * 2;