From owner-svn-src-stable-8@FreeBSD.ORG Mon Sep 20 14:58:09 2010 Return-Path: Delivered-To: svn-src-stable-8@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5594C106567A; Mon, 20 Sep 2010 14:58:09 +0000 (UTC) (envelope-from cperciva@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:4f8:fff6::2c]) by mx1.freebsd.org (Postfix) with ESMTP id 289FB8FC2B; Mon, 20 Sep 2010 14:58:09 +0000 (UTC) Received: from svn.freebsd.org (localhost [127.0.0.1]) by svn.freebsd.org (8.14.3/8.14.3) with ESMTP id o8KEw9nt055761; Mon, 20 Sep 2010 14:58:09 GMT (envelope-from cperciva@svn.freebsd.org) Received: (from cperciva@localhost) by svn.freebsd.org (8.14.3/8.14.3/Submit) id o8KEw9E2055759; Mon, 20 Sep 2010 14:58:09 GMT (envelope-from cperciva@svn.freebsd.org) Message-Id: <201009201458.o8KEw9E2055759@svn.freebsd.org> From: Colin Percival Date: Mon, 20 Sep 2010 14:58:09 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-8@freebsd.org X-SVN-Group: stable-8 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: Subject: svn commit: r212901 - head/contrib/bzip2 releng/6.4 releng/6.4/contrib/bzip2 releng/6.4/sys/conf releng/7.1 releng/7.1/contrib/bzip2 releng/7.1/sys/conf releng/7.3 releng/7.3/contrib/bzip2 releng/7... X-BeenThere: svn-src-stable-8@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: SVN commit messages for only the 8-stable src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 20 Sep 2010 14:58:09 -0000 Author: cperciva Date: Mon Sep 20 14:58:08 2010 New Revision: 212901 URL: http://svn.freebsd.org/changeset/base/212901 Log: Fix an integer overflow in RLE length parsing when decompressing corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2 Modified: stable/8/contrib/bzip2/decompress.c Changes in other areas also in this revision: Modified: head/contrib/bzip2/decompress.c releng/6.4/UPDATING releng/6.4/contrib/bzip2/decompress.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bzip2/decompress.c releng/7.1/sys/conf/newvers.sh releng/7.3/UPDATING releng/7.3/contrib/bzip2/decompress.c releng/7.3/sys/conf/newvers.sh releng/8.0/UPDATING releng/8.0/contrib/bzip2/decompress.c releng/8.0/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bzip2/decompress.c releng/8.1/sys/conf/newvers.sh stable/6/contrib/bzip2/decompress.c stable/7/contrib/bzip2/decompress.c Modified: stable/8/contrib/bzip2/decompress.c ============================================================================== --- stable/8/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ stable/8/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2;