aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorColin Percival <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
committerColin Percival <cperciva@FreeBSD.org>2010-09-20 14:58:08 +0000
commit7418fb420f9048661643f3c03159692c474d078a (patch)
treedf2784dc5025fafecfa1469403d077850cd7b9de
parent9adee7d03f2e4c91e6330410f88fb5addaf2a24a (diff)
downloadsrc-7418fb420f9048661643f3c03159692c474d078a.tar.gz
src-7418fb420f9048661643f3c03159692c474d078a.zip
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2
Notes
Notes: svn path=/releng/8.1/; revision=212901
-rw-r--r--UPDATING4
-rw-r--r--contrib/bzip2/decompress.c7
-rw-r--r--sys/conf/newvers.sh2
3 files changed, 12 insertions, 1 deletions
diff --git a/UPDATING b/UPDATING
index ead73d7f4a3f..f2c69bc65ada 100644
--- a/UPDATING
+++ b/UPDATING
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.x IS SLOW ON IA64 OR SUN4V:
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20100920: p1 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100720:
8.1-RELEASE.
diff --git a/contrib/bzip2/decompress.c b/contrib/bzip2/decompress.c
index bba5e0fa36dc..af1d4d09afb9 100644
--- a/contrib/bzip2/decompress.c
+++ b/contrib/bzip2/decompress.c
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
diff --git a/sys/conf/newvers.sh b/sys/conf/newvers.sh
index 1464310e0134..eb06c3aa0271 100644
--- a/sys/conf/newvers.sh
+++ b/sys/conf/newvers.sh
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi