From 8cca60d64e4b0c4f45fdb0bf5517869867d51a6e Mon Sep 17 00:00:00 2001
From: Rob Landley <rob@landley.net>
Date: Sat, 28 Jun 2008 01:07:34 -0500
Subject: A pathological case of huffman coding that uses 8 bits to code each
 of 256 symbols could cause an unsigned char limit[8] to wrap back to 0,
 setting limit to -1 and making the decompressor exit with a data error.

---
 lib/bunzip.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/bunzip.c b/lib/bunzip.c
index f923b0c7..ae842891 100644
--- a/lib/bunzip.c
+++ b/lib/bunzip.c
@@ -204,8 +204,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
 	// literal symbols, plus two run symbols (RUNA, RUNB)
 	symCount = bd->symTotal+2;
 	for (jj=0; jj<bd->groupCount; jj++) {
-		unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
-		int	minLen,	maxLen, pp;
+		unsigned char length[MAX_SYMBOLS];
+		unsigned temp[MAX_HUFCODE_BITS+1];
+		int minLen, maxLen, pp;
 
 		// Read lengths
 		hh = get_bits(bd, 5);
-- 
cgit v1.2.3