diff options
| author | Dan Carpenter <dan.carpenter@oracle.com> | 2014-12-13 03:58:05 +0300 |
|---|---|---|
| committer | Luis Henriques <luis.henriques@canonical.com> | 2015-02-04 13:57:53 +0300 |
| commit | a13ef9ee9fa51a44c1bb4bf9b0a569aee8d07494 (patch) | |
| tree | 6c5cf179d798abe77f6758758a71d0790fd31ba8 /lib | |
| parent | 34bd94d6e950140e9dc58aca54a1aaa4e389ec7c (diff) | |
| download | linux-a13ef9ee9fa51a44c1bb4bf9b0a569aee8d07494.tar.xz | |
decompress_bunzip2: off by one in get_next_block()
commit b5c8afe5be51078a979d86ae5ae78c4ac948063d upstream.
"origPtr" is used as an offset into the bd->dbuf[] array. That array is
allocated in start_bunzip() and has "bd->dbufSize" number of elements so
the test here should be >= instead of >.
Later we check "origPtr" again before using it as an offset so I don't
know if this bug can be triggered in real life.
Fixes: bc22c17e12c1 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression')
Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: Yinghai Lu <yinghai@kernel.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Luis Henriques <luis.henriques@canonical.com>
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/decompress_bunzip2.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c index 31c5f7675fbf..f504027d66a8 100644 --- a/lib/decompress_bunzip2.c +++ b/lib/decompress_bunzip2.c @@ -184,7 +184,7 @@ static int INIT get_next_block(struct bunzip_data *bd) if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT; origPtr = get_bits(bd, 24); - if (origPtr > dbufSize) + if (origPtr >= dbufSize) return RETVAL_DATA_ERROR; /* mapping table: if some byte values are never used (encoding things like ascii text), the compression code removes the gaps to have fewer |