diff options
author | Albert Astals Cid <aacid@kde.org> | 2019-05-28 19:35:18 +0200 |
---|---|---|
committer | Mark Wielaard <mark@klomp.org> | 2019-06-24 15:34:05 +0200 |
commit | 7ed62bfb46e87a9e878712603469440e6882b184 (patch) | |
tree | 2ab31d696610797b6913cce701a71e70eb19a6a7 | |
parent | 16f2c753f9959e8d7c7e1fa771b8ccc5821427aa (diff) | |
download | bzip2-7ed62bfb46e87a9e878712603469440e6882b184.tar.gz bzip2-7ed62bfb46e87a9e878712603469440e6882b184.tar.bz2 bzip2-7ed62bfb46e87a9e878712603469440e6882b184.zip |
Make sure nSelectors is not out of range
nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
which is
UChar selectorMtf[BZ_MAX_SELECTORS];
so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
access
Fixes out of bounds access discovered while fuzzying karchive
This was reported as CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds write when there are many selectors.
-rw-r--r-- | decompress.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/decompress.c b/decompress.c index ab6a624..f3db91d 100644 --- a/decompress.c +++ b/decompress.c | |||
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) | |||
287 | GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); | 287 | GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); |
288 | if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); | 288 | if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); |
289 | GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); | 289 | GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); |
290 | if (nSelectors < 1) RETURN(BZ_DATA_ERROR); | 290 | if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); |
291 | for (i = 0; i < nSelectors; i++) { | 291 | for (i = 0; i < nSelectors; i++) { |
292 | j = 0; | 292 | j = 0; |
293 | while (True) { | 293 | while (True) { |