From efae294b15ff6d0834778c523e16f1751b790d99 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Fri, 17 Feb 2006 05:19:40 +0000 Subject: Fix for an integer overflow bug that could cause a segfault on certain pathological archives. (Unlikely to have security implications, the only way to trigger it basically wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault. The test basically gives us a more polite error message.) Thanks to Ned Ludd and the Gentoo security guys for finding this. --- archival/libunarchive/decompress_bunzip2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/archival/libunarchive/decompress_bunzip2.c b/archival/libunarchive/decompress_bunzip2.c index 34afd6f99..df6fa078f 100644 --- a/archival/libunarchive/decompress_bunzip2.c +++ b/archival/libunarchive/decompress_bunzip2.c @@ -413,7 +413,7 @@ got_huff_bits: context). Thus space is saved. */ t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */ - runPos <<= 1; + if(runPos < dbufSize) runPos <<= 1; goto end_of_huffman_loop; } -- cgit v1.2.3