summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAlbert Astals Cid <aacid@kde.org>2019-05-28 19:35:18 +0200
committerMark Wielaard <mark@klomp.org>2019-06-24 15:34:05 +0200
commit7ed62bfb46e87a9e878712603469440e6882b184 (patch)
tree2ab31d696610797b6913cce701a71e70eb19a6a7
parentFix undefined behavior in the macros SET_BH, CLEAR_BH, & ISSET_BH (diff)
downloadbzip2-7ed62bfb46e87a9e878712603469440e6882b184.tar.gz
bzip2-7ed62bfb46e87a9e878712603469440e6882b184.tar.bz2
bzip2-7ed62bfb46e87a9e878712603469440e6882b184.tar.xz
Make sure nSelectors is not out of range
nSelectors is used in a loop from 0 to nSelectors to access selectorMtf which is UChar selectorMtf[BZ_MAX_SELECTORS]; so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory access Fixes out of bounds access discovered while fuzzying karchive This was reported as CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
-rw-r--r--decompress.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/decompress.c b/decompress.c
index ab6a624..f3db91d 100644
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
287 GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); 287 GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
288 if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); 288 if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
289 GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); 289 GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
290 if (nSelectors < 1) RETURN(BZ_DATA_ERROR); 290 if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
291 for (i = 0; i < nSelectors; i++) { 291 for (i = 0; i < nSelectors; i++) {
292 j = 0; 292 j = 0;
293 while (True) { 293 while (True) {