aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2016-03-03 11:07:59 -0600
committerRob Landley <rob@landley.net>2016-03-03 11:07:59 -0600
commit5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 (patch)
tree17282509612347465b14e233513691a707190296
parentffc6fbbde3eeca29d1eb3470610eb7ae5b9025f1 (diff)
downloadtoybox-5ad93f32da3e2ac70b1fa929889d3034c79f7ed6.tar.gz
Fix bzcat integer overflow reported by John Regehr.
-rwxr-xr-xtests/bzcat.test4
-rw-r--r--tests/files/bzcat/overflow.bz2bin0 -> 993 bytes
-rw-r--r--toys/other/bzcat.c8
3 files changed, 9 insertions, 3 deletions
diff --git a/tests/bzcat.test b/tests/bzcat.test
index 4eacc684..ef1b07f5 100755
--- a/tests/bzcat.test
+++ b/tests/bzcat.test
@@ -6,6 +6,10 @@
[ -f testing.sh ] && . testing.sh
#testing "name" "command" "result" "infile" "stdin"
+testing "overflow" \
+ 'bzcat "$TOPDIR/files/bzcat/overflow.bz2" >/dev/null 2>/dev/null;
+ [ $? -eq 1 ] && echo good' "good\n" "" ""
+
echo "hello" > file
tar -cjf file.tar.bz2 file
# Get system bzcat
diff --git a/tests/files/bzcat/overflow.bz2 b/tests/files/bzcat/overflow.bz2
new file mode 100644
index 00000000..9ac7947b
--- /dev/null
+++ b/tests/files/bzcat/overflow.bz2
Binary files differ
diff --git a/toys/other/bzcat.c b/toys/other/bzcat.c
index 1081b5e9..fdad9a01 100644
--- a/toys/other/bzcat.c
+++ b/toys/other/bzcat.c
@@ -319,9 +319,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
{
struct group_data *hufGroup;
- int hh, ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
+ int ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
*byteCount, *base, *limit;
- unsigned int *dbuf = bw->dbuf;
+ unsigned hh, *dbuf = bw->dbuf;
unsigned char uc;
// We've finished reading and digesting the block header. Now read this
@@ -401,7 +401,9 @@ static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
literal used is the one at the head of the mtfSymbol array.) */
if (runPos) {
runPos = 0;
- if (dbufCount+hh > bd->dbufSize) return RETVAL_DATA_ERROR;
+ // Check for integer overflow
+ if (hh>bd->dbufSize || dbufCount+hh>bd->dbufSize)
+ return RETVAL_DATA_ERROR;
uc = bd->symToByte[bd->mtfSymbol[0]];
byteCount[uc] += hh;