forked from SLFO-pool/xen
31 lines
1.3 KiB
Diff
31 lines
1.3 KiB
Diff
|
# Commit 303d3ff85c90ee4af4bad4e3b1d4932fa2634d64
|
||
|
|
# Date 2024-07-30 11:55:56 +0200
|
||
|
|
# Author Ross Lagerwall <ross.lagerwall@citrix.com>
|
||
|
|
# Committer Jan Beulich <jbeulich@suse.com>
|
||
|
|
bunzip2: fix rare decompression failure
|
||
|
|
|
||
|
|
The decompression code parses a huffman tree and counts the number of
|
||
|
|
symbols for a given bit length. In rare cases, there may be >= 256
|
||
|
|
symbols with a given bit length, causing the unsigned char to overflow.
|
||
|
|
This causes a decompression failure later when the code tries and fails to
|
||
|
|
find the bit length for a given symbol.
|
||
|
|
|
||
|
|
Since the maximum number of symbols is 258, use unsigned short instead.
|
||
|
|
|
||
|
|
Fixes: ab77e81f6521 ("x86/dom0: support bzip2 and lzma compressed bzImage payloads")
|
||
|
|
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
|
||
|
|
Acked-by: Jan Beulich <jbeulich@suse.com>
|
||
|
|
|
||
|
|
--- a/xen/common/bunzip2.c
|
||
|
|
+++ b/xen/common/bunzip2.c
|
||
|
|
@@ -221,7 +221,8 @@ static int __init get_next_block(struct
|
||
|
|
RUNB) */
|
||
|
|
symCount = symTotal+2;
|
||
|
|
for (j = 0; j < groupCount; j++) {
|
||
|
|
- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
|
||
|
|
+ unsigned char length[MAX_SYMBOLS];
|
||
|
|
+ unsigned short temp[MAX_HUFCODE_BITS+1];
|
||
|
|
int minLen, maxLen, pp;
|
||
|
|
/* Read Huffman code lengths for each symbol. They're
|
||
|
|
stored in a way similar to mtf; record a starting
|