aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2006-02-17 05:19:40 +0000
committerRob Landley <rob@landley.net>2006-02-17 05:19:40 +0000
commitefae294b15ff6d0834778c523e16f1751b790d99 (patch)
tree73eb0d05822d7fdb6b5986f9477ade764979053e
parent2c98c40ec881dcaac93b069525314bc078359175 (diff)
downloadbusybox-efae294b15ff6d0834778c523e16f1751b790d99.tar.gz
Fix for an integer overflow bug that could cause a segfault on certain
pathological archives. (Unlikely to have security implications, the only way to trigger it basically wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault. The test basically gives us a more polite error message.) Thanks to Ned Ludd and the Gentoo security guys for finding this.
-rw-r--r--archival/libunarchive/decompress_bunzip2.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/archival/libunarchive/decompress_bunzip2.c b/archival/libunarchive/decompress_bunzip2.c
index 34afd6f99..df6fa078f 100644
--- a/archival/libunarchive/decompress_bunzip2.c
+++ b/archival/libunarchive/decompress_bunzip2.c
@@ -413,7 +413,7 @@ got_huff_bits:
context). Thus space is saved. */
t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
- runPos <<= 1;
+ if(runPos < dbufSize) runPos <<= 1;
goto end_of_huffman_loop;
}