diff options
author | Rob Landley <rob@landley.net> | 2008-06-28 01:07:34 -0500 |
---|---|---|
committer | Rob Landley <rob@landley.net> | 2008-06-28 01:07:34 -0500 |
commit | 8cca60d64e4b0c4f45fdb0bf5517869867d51a6e (patch) | |
tree | 092c460bdebcc97704e95884eef21126dc3ed055 /lib | |
parent | b1487dc9ed8c892afde94a8ac04350e3ca0e7074 (diff) | |
download | toybox-8cca60d64e4b0c4f45fdb0bf5517869867d51a6e.tar.gz |
A pathological case of huffman coding that uses 8 bits to code each of 256
symbols could cause an unsigned char limit[8] to wrap back to 0, setting
limit to -1 and making the decompressor exit with a data error.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/bunzip.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/bunzip.c b/lib/bunzip.c index f923b0c7..ae842891 100644 --- a/lib/bunzip.c +++ b/lib/bunzip.c @@ -204,8 +204,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw) // literal symbols, plus two run symbols (RUNA, RUNB) symCount = bd->symTotal+2; for (jj=0; jj<bd->groupCount; jj++) { - unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; - int minLen, maxLen, pp; + unsigned char length[MAX_SYMBOLS]; + unsigned temp[MAX_HUFCODE_BITS+1]; + int minLen, maxLen, pp; // Read lengths hh = get_bits(bd, 5); |