diff options
author | Colin Percival <cperciva@FreeBSD.org> | 2010-09-20 14:58:08 +0000 |
---|---|---|
committer | Colin Percival <cperciva@FreeBSD.org> | 2010-09-20 14:58:08 +0000 |
commit | 0df48150179039ce25e09b48c85aa39bffdbb4c4 (patch) | |
tree | 33dc38da7e9481b1c30075c023dd26dbd26b6bdb | |
parent | 0f14c153efe45f7c6dd98f0324f0e6882817c815 (diff) | |
download | src-releng/6.4.tar.gz src-releng/6.4.zip |
Fix an integer overflow in RLE length parsing when decompressingreleng/6.4
corrupt bzip2 data.
Approved by: so (cperciva)
Security: FreeBSD-SA-10:08.bzip2
Notes
Notes:
svn path=/releng/6.4/; revision=212901
-rw-r--r-- | UPDATING | 4 | ||||
-rw-r--r-- | contrib/bzip2/decompress.c | 7 | ||||
-rw-r--r-- | sys/conf/newvers.sh | 2 |
3 files changed, 12 insertions, 1 deletions
@@ -8,6 +8,10 @@ Items affecting the ports and packages system can be found in /usr/ports/UPDATING. Please read that file before running portupgrade. +20100920: p11 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100526: p10 FreeBSD-SA-10:05.opie Fix a one-NUL-byte buffer overflow in libopie. [10:05] diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c index bba5e0fa36dc..af1d4d09afb9 100644 --- a/contrib/bzip2/decompress.c +++ b/contrib/bzip2/decompress.c @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh index f396929fd175..486e06fe38f5 100644 --- a/sys/conf/newvers.sh +++ b/sys/conf/newvers.sh @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p10" +BRANCH="RELEASE-p11" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi |