aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorRob Landley <rob@landley.net>2008-06-28 01:07:34 -0500
committerRob Landley <rob@landley.net>2008-06-28 01:07:34 -0500
commit8cca60d64e4b0c4f45fdb0bf5517869867d51a6e (patch)
tree092c460bdebcc97704e95884eef21126dc3ed055
parentb1487dc9ed8c892afde94a8ac04350e3ca0e7074 (diff)
downloadtoybox-8cca60d64e4b0c4f45fdb0bf5517869867d51a6e.tar.gz
A pathological case of huffman coding that uses 8 bits to code each of 256
symbols could cause an unsigned char limit[8] to wrap back to 0, setting limit to -1 and making the decompressor exit with a data error.
-rw-r--r--lib/bunzip.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/bunzip.c b/lib/bunzip.c
index f923b0c7..ae842891 100644
--- a/lib/bunzip.c
+++ b/lib/bunzip.c
@@ -204,8 +204,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
// literal symbols, plus two run symbols (RUNA, RUNB)
symCount = bd->symTotal+2;
for (jj=0; jj<bd->groupCount; jj++) {
- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
- int minLen, maxLen, pp;
+ unsigned char length[MAX_SYMBOLS];
+ unsigned temp[MAX_HUFCODE_BITS+1];
+ int minLen, maxLen, pp;
// Read lengths
hh = get_bits(bd, 5);