avoid integer overflow that can lead to buffer overflow

2010-09-20 19:39:20 +00:00 · 2010-09-20 19:39:20 +00:00 · 8fb564818f
commit 8fb564818f
parent fda2d7ca9f
1 changed files with 7 additions and 0 deletions
--- a/dist/bzip2/decompress.c
+++ b/dist/bzip2/decompress.c
@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
            es = -1;
            N = 1;
            do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
               if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
               if (nextSym == BZ_RUNB) es = es + (1+1) * N;
               N = N * 2;