[src/trunk]: src/dist/bzip2 avoid integer overflow that can lead to buffer ov...

To: source-changes-hg%NetBSD.org@localhost
Subject: [src/trunk]: src/dist/bzip2 avoid integer overflow that can lead to buffer ov...
From: christos <christos%NetBSD.org@localhost>
Date: Mon, 06 Apr 2020 19:22:40 +0000

details:   https://anonhg.NetBSD.org/src/rev/152d13385942
branches:  trunk
changeset: 757750:152d13385942
user:      christos <christos%NetBSD.org@localhost>
date:      Mon Sep 20 19:39:20 2010 +0000

description:
avoid integer overflow that can lead to buffer overflow

diffstat:

 dist/bzip2/decompress.c |  7 +++++++
 1 files changed, 7 insertions(+), 0 deletions(-)

diffs (17 lines):

diff -r bc06742f5855 -r 152d13385942 dist/bzip2/decompress.c
--- a/dist/bzip2/decompress.c   Mon Sep 20 17:51:38 2010 +0000
+++ b/dist/bzip2/decompress.c   Mon Sep 20 19:39:20 2010 +0000
@@ -381,6 +381,13 @@
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;

Prev by Date: [src/trunk]: src/libexec/httpd fix a serious error in virtual hosting support...
Next by Date: [src/trunk]: src/libexec/httpd initial import of bozohttpd 20100920. the onl...
Previous by Thread: [src/trunk]: src/libexec/httpd fix a serious error in virtual hosting support...
Next by Thread: [src/trunk]: src/libexec/httpd initial import of bozohttpd 20100920. the onl...
Indexes:

Home | Main Index | Thread Index | Old Index