decompress_bunzip2: off by one in get_next_block()
commit b5c8afe5be51078a979d86ae5ae78c4ac948063d upstream.
"origPtr" is used as an offset into the bd->dbuf[] array. That array is
allocated in start_bunzip() and has "bd->dbufSize" number of elements so
the test here should be >= instead of >.
Later we check "origPtr" again before using it as an offset so I don't
know if this bug can be triggered in real life.
Fixes: bc22c17e12 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Dan Carpenter
Greg Kroah-Hartman
parent
77287a2cab
commit
42ddd03e80
|
|
@ -184,7 +184,7 @@ static int INIT get_next_block(struct bunzip_data *bd)
|
||||||
if (get_bits(bd, 1))
|
if (get_bits(bd, 1))
|
||||||
return RETVAL_OBSOLETE_INPUT;
|
return RETVAL_OBSOLETE_INPUT;
|
||||||
origPtr = get_bits(bd, 24);
|
origPtr = get_bits(bd, 24);
|
||||||
if (origPtr > dbufSize)
|
if (origPtr >= dbufSize)
|
||||||
return RETVAL_DATA_ERROR;
|
return RETVAL_DATA_ERROR;
|
||||||
/* mapping table: if some byte values are never used (encoding things
|
/* mapping table: if some byte values are never used (encoding things
|
||||||
like ascii text), the compression code removes the gaps to have fewer
|
like ascii text), the compression code removes the gaps to have fewer
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue