diff options
Diffstat (limited to 'decompress.c')
| -rw-r--r-- | decompress.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/decompress.c b/decompress.c index bba5e0f..311f566 100644 --- a/decompress.c +++ b/decompress.c | |||
| @@ -8,8 +8,8 @@ | |||
| 8 | This file is part of bzip2/libbzip2, a program and library for | 8 | This file is part of bzip2/libbzip2, a program and library for |
| 9 | lossless, block-sorting data compression. | 9 | lossless, block-sorting data compression. |
| 10 | 10 | ||
| 11 | bzip2/libbzip2 version 1.0.5 of 10 December 2007 | 11 | bzip2/libbzip2 version 1.0.6 of 6 September 2010 |
| 12 | Copyright (C) 1996-2007 Julian Seward <jseward@bzip.org> | 12 | Copyright (C) 1996-2010 Julian Seward <jseward@bzip.org> |
| 13 | 13 | ||
| 14 | Please read the WARNING, DISCLAIMER and PATENTS sections in the | 14 | Please read the WARNING, DISCLAIMER and PATENTS sections in the |
| 15 | README file. | 15 | README file. |
| @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) | |||
| 381 | es = -1; | 381 | es = -1; |
| 382 | N = 1; | 382 | N = 1; |
| 383 | do { | 383 | do { |
| 384 | /* Check that N doesn't get too big, so that es doesn't | ||
| 385 | go negative. The maximum value that can be | ||
| 386 | RUNA/RUNB encoded is equal to the block size (post | ||
| 387 | the initial RLE), viz, 900k, so bounding N at 2 | ||
| 388 | million should guard against overflow without | ||
| 389 | rejecting any legitimate inputs. */ | ||
| 390 | if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); | ||
| 384 | if (nextSym == BZ_RUNA) es = es + (0+1) * N; else | 391 | if (nextSym == BZ_RUNA) es = es + (0+1) * N; else |
| 385 | if (nextSym == BZ_RUNB) es = es + (1+1) * N; | 392 | if (nextSym == BZ_RUNB) es = es + (1+1) * N; |
| 386 | N = N * 2; | 393 | N = N * 2; |
| @@ -485,15 +492,28 @@ Int32 BZ2_decompress ( DState* s ) | |||
| 485 | RETURN(BZ_DATA_ERROR); | 492 | RETURN(BZ_DATA_ERROR); |
| 486 | 493 | ||
| 487 | /*-- Set up cftab to facilitate generation of T^(-1) --*/ | 494 | /*-- Set up cftab to facilitate generation of T^(-1) --*/ |
| 495 | /* Check: unzftab entries in range. */ | ||
| 496 | for (i = 0; i <= 255; i++) { | ||
| 497 | if (s->unzftab[i] < 0 || s->unzftab[i] > nblock) | ||
| 498 | RETURN(BZ_DATA_ERROR); | ||
| 499 | } | ||
| 500 | /* Actually generate cftab. */ | ||
| 488 | s->cftab[0] = 0; | 501 | s->cftab[0] = 0; |
| 489 | for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1]; | 502 | for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1]; |
| 490 | for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1]; | 503 | for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1]; |
| 504 | /* Check: cftab entries in range. */ | ||
| 491 | for (i = 0; i <= 256; i++) { | 505 | for (i = 0; i <= 256; i++) { |
| 492 | if (s->cftab[i] < 0 || s->cftab[i] > nblock) { | 506 | if (s->cftab[i] < 0 || s->cftab[i] > nblock) { |
| 493 | /* s->cftab[i] can legitimately be == nblock */ | 507 | /* s->cftab[i] can legitimately be == nblock */ |
| 494 | RETURN(BZ_DATA_ERROR); | 508 | RETURN(BZ_DATA_ERROR); |
| 495 | } | 509 | } |
| 496 | } | 510 | } |
| 511 | /* Check: cftab entries non-descending. */ | ||
| 512 | for (i = 1; i <= 256; i++) { | ||
| 513 | if (s->cftab[i-1] > s->cftab[i]) { | ||
| 514 | RETURN(BZ_DATA_ERROR); | ||
| 515 | } | ||
| 516 | } | ||
| 497 | 517 | ||
| 498 | s->state_out_len = 0; | 518 | s->state_out_len = 0; |
| 499 | s->state_out_ch = 0; | 519 | s->state_out_ch = 0; |