From 851b28312f29ea979f18ffed89fcf6d5ad7c953e Mon Sep 17 00:00:00 2001 From: cperciva Date: Mon, 20 Sep 2010 14:58:08 +0000 Subject: [PATCH] Fix an integer overflow in RLE length parsing when decompressing corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2 git-svn-id: svn://svn.freebsd.org/base/releng/8.1@212901 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f --- UPDATING | 4 ++++ contrib/bzip2/decompress.c | 7 +++++++ sys/conf/newvers.sh | 2 +- 3 files changed, 12 insertions(+), 1 deletion(-) diff --git a/UPDATING b/UPDATING index ead73d7f..f2c69bc6 100644 --- a/UPDATING +++ b/UPDATING @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V: debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20100920: p1 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100720: 8.1-RELEASE. diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c index bba5e0fa..af1d4d09 100644 --- a/contrib/bzip2/decompress.c +++ b/contrib/bzip2/decompress.c @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index 1464310e..eb06c3aa 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.1" -BRANCH="RELEASE" +BRANCH="RELEASE-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi -- 2.45.0