From 5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 Mon Sep 17 00:00:00 2001 From: Rob Landley Date: Thu, 3 Mar 2016 11:07:59 -0600 Subject: Fix bzcat integer overflow reported by John Regehr. --- toys/other/bzcat.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) (limited to 'toys/other') diff --git a/toys/other/bzcat.c b/toys/other/bzcat.c index 1081b5e9..fdad9a01 100644 --- a/toys/other/bzcat.c +++ b/toys/other/bzcat.c @@ -319,9 +319,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw) static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw) { struct group_data *hufGroup; - int hh, ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym, + int ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym, *byteCount, *base, *limit; - unsigned int *dbuf = bw->dbuf; + unsigned hh, *dbuf = bw->dbuf; unsigned char uc; // We've finished reading and digesting the block header. Now read this @@ -401,7 +401,9 @@ static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw) literal used is the one at the head of the mtfSymbol array.) */ if (runPos) { runPos = 0; - if (dbufCount+hh > bd->dbufSize) return RETVAL_DATA_ERROR; + // Check for integer overflow + if (hh>bd->dbufSize || dbufCount+hh>bd->dbufSize) + return RETVAL_DATA_ERROR; uc = bd->symToByte[bd->mtfSymbol[0]]; byteCount[uc] += hh; -- cgit v1.2.3