SHA256
1
0
forked from pool/bzip2
bzip2/bzip2-CVE-2010-0405.patch

19 lines
886 B
Diff
Raw Normal View History

Index: bzip2-1.0.5/decompress.c
===================================================================
--- bzip2-1.0.5.orig/decompress.c
+++ bzip2-1.0.5/decompress.c
@@ -394,6 +394,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;