From 86dd7e3055878026fd4aeea4c731eab4ae9d946d Mon Sep 17 00:00:00 2001
From: cperciva <cperciva@ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f>
Date: Mon, 20 Sep 2010 14:58:08 +0000
Subject: [PATCH] Fix an integer overflow in RLE length parsing when
 decompressing corrupt bzip2 data.

Approved by:	so (cperciva)
Security:	FreeBSD-SA-10:08.bzip2


git-svn-id: svn://svn.freebsd.org/base/releng/8.0@212901 ccf9f872-aa2e-dd11-9fc8-001c23d0bc1f
---
 UPDATING                   | 4 ++++
 contrib/bzip2/decompress.c | 7 +++++++
 sys/conf/newvers.sh        | 2 +-
 3 files changed, 12 insertions(+), 1 deletion(-)

diff --git a/UPDATING b/UPDATING
index 262aab2c..8f1ff6f8 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
 	debugging tools present in HEAD were left in place because
 	sun4v support still needs work to become production ready.
 
+20100920:	p5	FreeBSD-SA-10:08.bzip2
+	Fix an integer overflow in RLE length parsing when decompressing
+	corrupt bzip2 data.
+
 20100713:	p4	FreeBSD-SA-10:07.mbuf
 	Correctly copy the M_RDONLY flag when duplicating a reference
 	to an mbuf external buffer.
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c
index bba5e0fa..af1d4d09 100644
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 8bdb7593..ec0cc9fa 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="8.0"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi
-- 
2.42.0