Fix for an integer overflow bug that could cause a segfault on certain pathological archives. (Unlikely to have security implications, the only way to trigger it basically wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault. The test basically gives us a more polite error message.) Thanks to Ned Ludd and the Gentoo security guys for finding this.

commit: efae294b15ff6d0834778c523e16f1751b790d99 [log] [tgz]
author: Rob Landley <rob@landley.net> Fri Feb 17 05:19:40 2006 +0000
committer: Rob Landley <rob@landley.net> Fri Feb 17 05:19:40 2006 +0000
tree: 73eb0d05822d7fdb6b5986f9477ade764979053e
parent: 2c98c40ec881dcaac93b069525314bc078359175 [diff] [blame]
diff --git a/archival/libunarchive/decompress_bunzip2.c b/archival/libunarchive/decompress_bunzip2.c
index 34afd6f..df6fa07 100644
--- a/archival/libunarchive/decompress_bunzip2.c
+++ b/archival/libunarchive/decompress_bunzip2.c

@@ -413,7 +413,7 @@
 			   context).  Thus space is saved. */
 
 			t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
-			runPos <<= 1;
+			if(runPos < dbufSize) runPos <<= 1;
 			goto end_of_huffman_loop;
 		}
commit	efae294b15ff6d0834778c523e16f1751b790d99	[log] [tgz]
author	Rob Landley <rob@landley.net>	Fri Feb 17 05:19:40 2006 +0000
committer	Rob Landley <rob@landley.net>	Fri Feb 17 05:19:40 2006 +0000
tree	73eb0d05822d7fdb6b5986f9477ade764979053e
parent	2c98c40ec881dcaac93b069525314bc078359175 [diff] [blame]