diff options
| author | Rob Landley <rob@landley.net> | 2006-02-17 05:19:40 +0000 |
|---|---|---|
| committer | Rob Landley <rob@landley.net> | 2006-02-17 05:19:40 +0000 |
| commit | efae294b15ff6d0834778c523e16f1751b790d99 (patch) | |
| tree | 73eb0d05822d7fdb6b5986f9477ade764979053e | |
| parent | 2c98c40ec881dcaac93b069525314bc078359175 (diff) | |
| download | busybox-w32-efae294b15ff6d0834778c523e16f1751b790d99.tar.gz busybox-w32-efae294b15ff6d0834778c523e16f1751b790d99.tar.bz2 busybox-w32-efae294b15ff6d0834778c523e16f1751b790d99.zip | |
Fix for an integer overflow bug that could cause a segfault on certain
pathological archives.
(Unlikely to have security implications, the only way to trigger it basically
wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault. The
test basically gives us a more polite error message.)
Thanks to Ned Ludd and the Gentoo security guys for finding this.
| -rw-r--r-- | archival/libunarchive/decompress_bunzip2.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/archival/libunarchive/decompress_bunzip2.c b/archival/libunarchive/decompress_bunzip2.c index 34afd6f99..df6fa078f 100644 --- a/archival/libunarchive/decompress_bunzip2.c +++ b/archival/libunarchive/decompress_bunzip2.c | |||
| @@ -413,7 +413,7 @@ got_huff_bits: | |||
| 413 | context). Thus space is saved. */ | 413 | context). Thus space is saved. */ |
| 414 | 414 | ||
| 415 | t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */ | 415 | t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */ |
| 416 | runPos <<= 1; | 416 | if(runPos < dbufSize) runPos <<= 1; |
| 417 | goto end_of_huffman_loop; | 417 | goto end_of_huffman_loop; |
| 418 | } | 418 | } |
| 419 | 419 | ||