]> sourceware.org Git - bzip2.git/commitdiff
git://sourceware.org / bzip2.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 16f2c75)
Make sure nSelectors is not out of range
authorAlbert Astals Cid <aacid@kde.org>
Tue, 28 May 2019 17:35:18 +0000 (19:35 +0200)
committerMark Wielaard <mark@klomp.org>
Mon, 24 Jun 2019 13:34:05 +0000 (15:34 +0200)
nSelectors is used in a loop from 0 to nSelectors to access selectorMtf
which is
UChar    selectorMtf[BZ_MAX_SELECTORS];
so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory
access

Fixes out of bounds access discovered while fuzzying karchive

This was reported as CVE-2019-12900
BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an
out-of-bounds write when there are many selectors.

decompress.c patch | blob | blame | history

diff --git a/decompress.c b/decompress.c
index ab6a624db17a1c124b5be09c04b0e99d950b70ff..f3db91d14f6ed09f76fbd5c73f7db2cba5f577da 100644 (file)
--- a/decompress.c
+++ b/decompress.c
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
       for (i = 0; i < nSelectors; i++) {
          j = 0;
          while (True) {
bzip2 code
This page took 0.024643 seconds and 5 git commands to generate.