forked from pool/bzip2
97b5de053d
OBS-URL: https://build.opensuse.org/package/show/Archiving/bzip2?expand=0&rev=ba843b2be98e63e6e5fb57040a8a6c10
19 lines
886 B
Diff
19 lines
886 B
Diff
Index: bzip2-1.0.5/decompress.c
|
|
===================================================================
|
|
--- bzip2-1.0.5.orig/decompress.c
|
|
+++ bzip2-1.0.5/decompress.c
|
|
@@ -394,6 +394,13 @@ Int32 BZ2_decompress ( DState* s )
|
|
es = -1;
|
|
N = 1;
|
|
do {
|
|
+ /* Check that N doesn't get too big, so that es doesn't
|
|
+ go negative. The maximum value that can be
|
|
+ RUNA/RUNB encoded is equal to the block size (post
|
|
+ the initial RLE), viz, 900k, so bounding N at 2
|
|
+ million should guard against overflow without
|
|
+ rejecting any legitimate inputs. */
|
|
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
|
|
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
|
|
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
|
|
N = N * 2;
|