summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMark Wielaard <mark@klomp.org>2019-06-24 00:45:32 +0200
committerMark Wielaard <mark@klomp.org>2019-06-24 00:58:47 +0200
commitc1cdd98db3238cb711c7d9cdc5671452ce2822cb (patch)
treeab84c05bb15b96f655c1914a9907a38c4d76f0fe
parentbzip2recover: Fix buffer overflow for large argv[0]. (diff)
downloadbzip2-c1cdd98db3238cb711c7d9cdc5671452ce2822cb.tar.gz
bzip2-c1cdd98db3238cb711c7d9cdc5671452ce2822cb.tar.bz2
bzip2-c1cdd98db3238cb711c7d9cdc5671452ce2822cb.tar.xz
bzip2recover: Fix use after free issue with outFile.
bzip2recover.c (main): Make sure to set outFile to NULL when done. This was reported as CVE-2016-3189 and found in multiple distributions. https://seclists.org/oss-sec/2016/q2/568 Some more analysis can be found in: https://bugzilla.redhat.com/show_bug.cgi?id=1319648
-rw-r--r--bzip2recover.c1
1 files changed, 1 insertions, 0 deletions
diff --git a/bzip2recover.c b/bzip2recover.c
index 1a70e04..a955d60 100644
--- a/bzip2recover.c
+++ b/bzip2recover.c
@@ -458,6 +458,7 @@ Int32 main ( Int32 argc, Char** argv )
458 bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 ); 458 bsPutUChar ( bsWr, 0x50 ); bsPutUChar ( bsWr, 0x90 );
459 bsPutUInt32 ( bsWr, blockCRC ); 459 bsPutUInt32 ( bsWr, blockCRC );
460 bsClose ( bsWr ); 460 bsClose ( bsWr );
461 outFile = NULL;
461 } 462 }
462 if (wrBlock >= rbCtr) break; 463 if (wrBlock >= rbCtr) break;
463 wrBlock++; 464 wrBlock++;