Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 20 Sep 2010 14:58:08 +0000 (UTC)
From:      Colin Percival <cperciva@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-7@freebsd.org
Subject:   svn commit: r212901 - head/contrib/bzip2 releng/6.4 releng/6.4/contrib/bzip2 releng/6.4/sys/conf releng/7.1 releng/7.1/contrib/bzip2 releng/7.1/sys/conf releng/7.3 releng/7.3/contrib/bzip2 releng/7...
Message-ID:  <201009201458.o8KEw8qd055721@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: cperciva
Date: Mon Sep 20 14:58:08 2010
New Revision: 212901
URL: http://svn.freebsd.org/changeset/base/212901

Log:
  Fix an integer overflow in RLE length parsing when decompressing
  corrupt bzip2 data.
  
  Approved by:	so (cperciva)
  Security:	FreeBSD-SA-10:08.bzip2

Modified:
  stable/7/contrib/bzip2/decompress.c

Changes in other areas also in this revision:
Modified:
  head/contrib/bzip2/decompress.c
  releng/6.4/UPDATING
  releng/6.4/contrib/bzip2/decompress.c
  releng/6.4/sys/conf/newvers.sh
  releng/7.1/UPDATING
  releng/7.1/contrib/bzip2/decompress.c
  releng/7.1/sys/conf/newvers.sh
  releng/7.3/UPDATING
  releng/7.3/contrib/bzip2/decompress.c
  releng/7.3/sys/conf/newvers.sh
  releng/8.0/UPDATING
  releng/8.0/contrib/bzip2/decompress.c
  releng/8.0/sys/conf/newvers.sh
  releng/8.1/UPDATING
  releng/8.1/contrib/bzip2/decompress.c
  releng/8.1/sys/conf/newvers.sh
  stable/6/contrib/bzip2/decompress.c
  stable/8/contrib/bzip2/decompress.c

Modified: stable/7/contrib/bzip2/decompress.c
==============================================================================
--- stable/7/contrib/bzip2/decompress.c	Mon Sep 20 13:48:07 2010	(r212900)
+++ stable/7/contrib/bzip2/decompress.c	Mon Sep 20 14:58:08 2010	(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009201458.o8KEw8qd055721>