Fix bzcat integer overflow reported by John Regehr.

author: Rob Landley <rob@landley.net> 2016-03-03 11:07:59 -0600
committer: Rob Landley <rob@landley.net> 2016-03-03 11:07:59 -0600
commit: 5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 (patch)
tree: 17282509612347465b14e233513691a707190296 /toys
parent: ffc6fbbde3eeca29d1eb3470610eb7ae5b9025f1 (diff)
download: toybox-5ad93f32da3e2ac70b1fa929889d3034c79f7ed6.tar.gz
1 files changed, 5 insertions, 3 deletions
diff --git a/toys/other/bzcat.c b/toys/other/bzcat.c
index 1081b5e9..fdad9a01 100644
--- a/toys/other/bzcat.c
+++ b/toys/other/bzcat.c
@@ -319,9 +319,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
 static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
 {
   struct group_data *hufGroup;
-  int hh, ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
+  int ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
     *byteCount, *base, *limit;
-  unsigned int *dbuf = bw->dbuf;
+  unsigned hh, *dbuf = bw->dbuf;
   unsigned char uc;
 
   // We've finished reading and digesting the block header.  Now read this
@@ -401,7 +401,9 @@ static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
        literal used is the one at the head of the mtfSymbol array.) */
     if (runPos) {
       runPos = 0;
-      if (dbufCount+hh > bd->dbufSize) return RETVAL_DATA_ERROR;
+      // Check for integer overflow
+      if (hh>bd->dbufSize || dbufCount+hh>bd->dbufSize)
+        return RETVAL_DATA_ERROR;
 
       uc = bd->symToByte[bd->mtfSymbol[0]];
       byteCount[uc] += hh;
author	Rob Landley <rob@landley.net>	2016-03-03 11:07:59 -0600
committer	Rob Landley <rob@landley.net>	2016-03-03 11:07:59 -0600
commit	5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 (patch)
tree	17282509612347465b14e233513691a707190296 /toys
parent	ffc6fbbde3eeca29d1eb3470610eb7ae5b9025f1 (diff)
download	toybox-5ad93f32da3e2ac70b1fa929889d3034c79f7ed6.tar.gz