diff options
| author | Denys Vlasenko <vda.linux@googlemail.com> | 2013-10-06 22:53:14 +0200 |
|---|---|---|
| committer | Denys Vlasenko <vda.linux@googlemail.com> | 2013-10-06 22:53:14 +0200 |
| commit | 932e233a491b6a5b9293ace04ef74667a95d739c (patch) | |
| tree | 8c796251df17be67d8e7a285e916a8d29ddcda8b | |
| parent | cd256e1c407aa70dfefb7178ed2c0e4201f1aaf7 (diff) | |
| download | busybox-w32-932e233a491b6a5b9293ace04ef74667a95d739c.tar.gz busybox-w32-932e233a491b6a5b9293ace04ef74667a95d739c.tar.bz2 busybox-w32-932e233a491b6a5b9293ace04ef74667a95d739c.zip | |
bunzip2: fix off-by-one check
stage3-armv7a_hardfp-20130209.tar.bz2, 149189948 bytes long,
md5sum b29ce23312e14eb15a143377d4a38473, was failing to unpack.
It so happened that this file has a run which exactly fills
the 90k buffer. The check was "size >= bufsize", apparently
it has to be ">".
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
| -rw-r--r-- | archival/libarchive/decompress_bunzip2.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c index dc252bb82..fb1f2921f 100644 --- a/archival/libarchive/decompress_bunzip2.c +++ b/archival/libarchive/decompress_bunzip2.c | |||
| @@ -42,6 +42,12 @@ | |||
| 42 | #include "libbb.h" | 42 | #include "libbb.h" |
| 43 | #include "bb_archive.h" | 43 | #include "bb_archive.h" |
| 44 | 44 | ||
| 45 | #if 0 | ||
| 46 | # define dbg(...) bb_error_msg(__VA_ARGS__) | ||
| 47 | #else | ||
| 48 | # define dbg(...) ((void)0) | ||
| 49 | #endif | ||
| 50 | |||
| 45 | /* Constants for Huffman coding */ | 51 | /* Constants for Huffman coding */ |
| 46 | #define MAX_GROUPS 6 | 52 | #define MAX_GROUPS 6 |
| 47 | #define GROUP_SIZE 50 /* 64 would have been more efficient */ | 53 | #define GROUP_SIZE 50 /* 64 would have been more efficient */ |
| @@ -52,13 +58,13 @@ | |||
| 52 | 58 | ||
| 53 | /* Status return values */ | 59 | /* Status return values */ |
| 54 | #define RETVAL_OK 0 | 60 | #define RETVAL_OK 0 |
| 55 | #define RETVAL_LAST_BLOCK (-1) | 61 | #define RETVAL_LAST_BLOCK (dbg("%d", __LINE__), -1) |
| 56 | #define RETVAL_NOT_BZIP_DATA (-2) | 62 | #define RETVAL_NOT_BZIP_DATA (dbg("%d", __LINE__), -2) |
| 57 | #define RETVAL_UNEXPECTED_INPUT_EOF (-3) | 63 | #define RETVAL_UNEXPECTED_INPUT_EOF (dbg("%d", __LINE__), -3) |
| 58 | #define RETVAL_SHORT_WRITE (-4) | 64 | #define RETVAL_SHORT_WRITE (dbg("%d", __LINE__), -4) |
| 59 | #define RETVAL_DATA_ERROR (-5) | 65 | #define RETVAL_DATA_ERROR (dbg("%d", __LINE__), -5) |
| 60 | #define RETVAL_OUT_OF_MEMORY (-6) | 66 | #define RETVAL_OUT_OF_MEMORY (dbg("%d", __LINE__), -6) |
| 61 | #define RETVAL_OBSOLETE_INPUT (-7) | 67 | #define RETVAL_OBSOLETE_INPUT (dbg("%d", __LINE__), -7) |
| 62 | 68 | ||
| 63 | /* Other housekeeping constants */ | 69 | /* Other housekeeping constants */ |
| 64 | #define IOBUF_SIZE 4096 | 70 | #define IOBUF_SIZE 4096 |
| @@ -440,7 +446,11 @@ static int get_next_block(bunzip_data *bd) | |||
| 440 | literal used is the one at the head of the mtfSymbol array.) */ | 446 | literal used is the one at the head of the mtfSymbol array.) */ |
| 441 | if (runPos != 0) { | 447 | if (runPos != 0) { |
| 442 | uint8_t tmp_byte; | 448 | uint8_t tmp_byte; |
| 443 | if (dbufCount + runCnt >= dbufSize) return RETVAL_DATA_ERROR; | 449 | if (dbufCount + runCnt > dbufSize) { |
| 450 | dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR", | ||
| 451 | dbufCount, runCnt, dbufCount + runCnt, dbufSize); | ||
| 452 | return RETVAL_DATA_ERROR; | ||
| 453 | } | ||
| 444 | tmp_byte = symToByte[mtfSymbol[0]]; | 454 | tmp_byte = symToByte[mtfSymbol[0]]; |
| 445 | byteCount[tmp_byte] += runCnt; | 455 | byteCount[tmp_byte] += runCnt; |
| 446 | while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte; | 456 | while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte; |