diff options
author | Rob Landley <rob@landley.net> | 2016-03-03 11:07:59 -0600 |
---|---|---|
committer | Rob Landley <rob@landley.net> | 2016-03-03 11:07:59 -0600 |
commit | 5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 (patch) | |
tree | 17282509612347465b14e233513691a707190296 | |
parent | ffc6fbbde3eeca29d1eb3470610eb7ae5b9025f1 (diff) | |
download | toybox-5ad93f32da3e2ac70b1fa929889d3034c79f7ed6.tar.gz |
Fix bzcat integer overflow reported by John Regehr.
-rwxr-xr-x | tests/bzcat.test | 4 | ||||
-rw-r--r-- | tests/files/bzcat/overflow.bz2 | bin | 0 -> 993 bytes | |||
-rw-r--r-- | toys/other/bzcat.c | 8 |
3 files changed, 9 insertions, 3 deletions
diff --git a/tests/bzcat.test b/tests/bzcat.test index 4eacc684..ef1b07f5 100755 --- a/tests/bzcat.test +++ b/tests/bzcat.test @@ -6,6 +6,10 @@ [ -f testing.sh ] && . testing.sh #testing "name" "command" "result" "infile" "stdin" +testing "overflow" \ + 'bzcat "$TOPDIR/files/bzcat/overflow.bz2" >/dev/null 2>/dev/null; + [ $? -eq 1 ] && echo good' "good\n" "" "" + echo "hello" > file tar -cjf file.tar.bz2 file # Get system bzcat diff --git a/tests/files/bzcat/overflow.bz2 b/tests/files/bzcat/overflow.bz2 Binary files differnew file mode 100644 index 00000000..9ac7947b --- /dev/null +++ b/tests/files/bzcat/overflow.bz2 diff --git a/toys/other/bzcat.c b/toys/other/bzcat.c index 1081b5e9..fdad9a01 100644 --- a/toys/other/bzcat.c +++ b/toys/other/bzcat.c @@ -319,9 +319,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw) static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw) { struct group_data *hufGroup; - int hh, ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym, + int ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym, *byteCount, *base, *limit; - unsigned int *dbuf = bw->dbuf; + unsigned hh, *dbuf = bw->dbuf; unsigned char uc; // We've finished reading and digesting the block header. Now read this @@ -401,7 +401,9 @@ static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw) literal used is the one at the head of the mtfSymbol array.) */ if (runPos) { runPos = 0; - if (dbufCount+hh > bd->dbufSize) return RETVAL_DATA_ERROR; + // Check for integer overflow + if (hh>bd->dbufSize || dbufCount+hh>bd->dbufSize) + return RETVAL_DATA_ERROR; uc = bd->symToByte[bd->mtfSymbol[0]]; byteCount[uc] += hh; |