Commit c2895979 authored by Dan Carpenter's avatar Dan Carpenter Committed by Ben Hutchings

decompress_bunzip2: off by one in get_next_block()

commit b5c8afe5 upstream.

"origPtr" is used as an offset into the bd->dbuf[] array.  That array is
allocated in start_bunzip() and has "bd->dbufSize" number of elements so
the test here should be >= instead of >.

Later we check "origPtr" again before using it as an offset so I don't
know if this bug can be triggered in real life.

Fixes: bc22c17e ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression')
Signed-off-by: default avatarDan Carpenter <dan.carpenter@oracle.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: default avatarBen Hutchings <ben@decadent.org.uk>
parent 277d8276
...@@ -185,7 +185,7 @@ static int INIT get_next_block(struct bunzip_data *bd) ...@@ -185,7 +185,7 @@ static int INIT get_next_block(struct bunzip_data *bd)
if (get_bits(bd, 1)) if (get_bits(bd, 1))
return RETVAL_OBSOLETE_INPUT; return RETVAL_OBSOLETE_INPUT;
origPtr = get_bits(bd, 24); origPtr = get_bits(bd, 24);
if (origPtr > dbufSize) if (origPtr >= dbufSize)
return RETVAL_DATA_ERROR; return RETVAL_DATA_ERROR;
/* mapping table: if some byte values are never used (encoding things /* mapping table: if some byte values are never used (encoding things
like ascii text), the compression code removes the gaps to have fewer like ascii text), the compression code removes the gaps to have fewer
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment