Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
This commit is contained in:
parent
e43e02f1a4
commit
66e576525d
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=212901
@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
|
||||
es = -1;
|
||||
N = 1;
|
||||
do {
|
||||
/* Check that N doesn't get too big, so that es doesn't
|
||||
go negative. The maximum value that can be
|
||||
RUNA/RUNB encoded is equal to the block size (post
|
||||
the initial RLE), viz, 900k, so bounding N at 2
|
||||
million should guard against overflow without
|
||||
rejecting any legitimate inputs. */
|
||||
if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
|
||||
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
|
||||
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
|
||||
N = N * 2;
|
||||
|
Loading…
Reference in New Issue
Block a user