Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/netbsd-1-4]: src/lib/libbz2 Pull up revision 1.9 (requested by simonb):
details: https://anonhg.NetBSD.org/src/rev/2aade22242c1
branches: netbsd-1-4
changeset: 470685:2aade22242c1
user: he <he%NetBSD.org@localhost>
date: Tue Jun 27 15:25:32 2000 +0000
description:
Pull up revision 1.9 (requested by simonb):
Pull in decompression error checking from bzip2-1.0.0.
Fixes PR#8237.
diffstat:
lib/libbz2/decompress.c | 33 ++++++++++++++++++++++++++++-----
1 files changed, 28 insertions(+), 5 deletions(-)
diffs (112 lines):
diff -r b37412a8cb21 -r 2aade22242c1 lib/libbz2/decompress.c
--- a/lib/libbz2/decompress.c Tue Jun 27 15:22:49 2000 +0000
+++ b/lib/libbz2/decompress.c Tue Jun 27 15:25:32 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: decompress.c,v 1.2 1998/09/14 03:08:18 ross Exp $ */
+/* $NetBSD: decompress.c,v 1.2.2.1 2000/06/27 15:25:32 he Exp $ */
/*-------------------------------------------------------------*/
/*--- Decompression machinery ---*/
@@ -114,6 +114,8 @@
{ \
if (groupPos == 0) { \
groupNo++; \
+ if (groupNo >= nSelectors) \
+ RETURN(BZ_DATA_ERROR); \
groupPos = BZ_G_SIZE; \
gSel = s->selector[groupNo]; \
gMinlen = s->minLens[gSel]; \
@@ -124,11 +126,17 @@
groupPos--; \
zn = gMinlen; \
GET_BITS(label1, zvec, zn); \
- while (zvec > gLimit[zn]) { \
+ while (1) { \
+ if (zn > 20 /* the longest code */) \
+ RETURN(BZ_DATA_ERROR); \
+ if (zvec <= gLimit[zn]) break; \
zn++; \
GET_BIT(label2, zj); \
zvec = (zvec << 1) | zj; \
}; \
+ if (zvec - gBase[zn] < 0 \
+ || zvec - gBase[zn] >= BZ_MAX_ALPHA_SIZE) \
+ RETURN(BZ_DATA_ERROR); \
lval = gPerm[zvec - gBase[zn]]; \
}
@@ -289,6 +297,11 @@
GET_UCHAR(BZ_X_ORIGPTR_3, uc);
s->origPtr = (s->origPtr << 8) | ((Int32)uc);
+ if (s->origPtr < 0)
+ RETURN(BZ_DATA_ERROR);
+ if (s->origPtr > 10 + 100000*s->blockSize100k)
+ RETURN(BZ_DATA_ERROR);
+
/*--- Receive the mapping table ---*/
for (i = 0; i < 16; i++) {
GET_BIT(BZ_X_MAPPING_1, uc);
@@ -306,18 +319,21 @@
if (uc == 1) s->inUse[i * 16 + j] = True;
}
makeMaps_d ( s );
+ if (s->nInUse == 0) RETURN(BZ_DATA_ERROR);
alphaSize = s->nInUse+2;
/*--- Now the selectors ---*/
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+ if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+ if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
for (i = 0; i < nSelectors; i++) {
j = 0;
while (True) {
GET_BIT(BZ_X_SELECTOR_3, uc);
if (uc == 0) break;
j++;
- if (j > 5) RETURN(BZ_DATA_ERROR);
+ if (j >= nGroups) RETURN(BZ_DATA_ERROR);
}
s->selectorMtf[i] = j;
}
@@ -418,23 +434,24 @@
if (s->smallDecompress)
while (es > 0) {
+ if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
s->ll16[nblock] = (UInt16)uc;
nblock++;
es--;
}
else
while (es > 0) {
+ if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
s->tt[nblock] = (UInt32)uc;
nblock++;
es--;
};
- if (nblock > nblockMAX) RETURN(BZ_DATA_ERROR);
continue;
} else {
- if (nblock > nblockMAX) RETURN(BZ_DATA_ERROR);
+ if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
/*-- uc = MTF ( nextSym-1 ) --*/
{
@@ -501,6 +518,12 @@
}
}
+ /* Now we know what nblock is, we can do a better sanity
+ check on s->origPtr.
+ */
+ if (s->origPtr < 0 || s->origPtr >= nblock)
+ RETURN(BZ_DATA_ERROR);
+
s->state_out_len = 0;
s->state_out_ch = 0;
BZ_INITIALISE_CRC ( s->calculatedBlockCRC );
Home |
Main Index |
Thread Index |
Old Index