aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorManuel Novoa III <mjn3@codepoet.org>2005-03-01 19:29:29 +0000
committerManuel Novoa III <mjn3@codepoet.org>2005-03-01 19:29:29 +0000
commit0d8c652c46e49e71bbc93e405252ea87cfbe6c89 (patch)
treeae9588179fe1ceb57e05bd80851cab4a5a89ad9b
parent6ddc0d7f6be575a17b42d5e0adf6489ce995531f (diff)
downloadbusybox-0d8c652c46e49e71bbc93e405252ea87cfbe6c89.tar.gz
When filling the bit buffer, gzip decompression apparently never checked for end of file, causing it to hang on corrupted input.
-rw-r--r--archival/libunarchive/decompress_unzip.c5
1 files changed, 4 insertions, 1 deletions
diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c
index e8cf54bff..b17065d92 100644
--- a/archival/libunarchive/decompress_unzip.c
+++ b/archival/libunarchive/decompress_unzip.c
@@ -151,7 +151,10 @@ static unsigned int fill_bitbuffer(unsigned int bitbuffer, unsigned int *current
/* Leave the first 4 bytes empty so we can always unwind the bitbuffer
* to the front of the bytebuffer, leave 4 bytes free at end of tail
* so we can easily top up buffer in check_trailer_gzip() */
- bytebuffer_size = 4 + bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8);
+ if (!(bytebuffer_size = bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8))) {
+ bb_error_msg_and_die("unexpected end of file");
+ }
+ bytebuffer_size += 4;
bytebuffer_offset = 4;
}
bitbuffer |= ((unsigned int) bytebuffer[bytebuffer_offset]) << *current;