Source-Changes-HG archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/lib/libbz2 Pull in decompression error checking from bzip2-1...



details:   https://anonhg.NetBSD.org/src/rev/b2d480d2cd6a
branches:  trunk
changeset: 487829:b2d480d2cd6a
user:      simonb <simonb%NetBSD.org@localhost>
date:      Tue Jun 13 14:12:28 2000 +0000

description:
Pull in decompression error checking from bzip2-1.0.0.  Fixes PR bin/8237.
bzip2-1.0.0 is a complete API change and will no be integrated just now...

diffstat:

 lib/libbz2/decompress.c |  33 ++++++++++++++++++++++++++++-----
 1 files changed, 28 insertions(+), 5 deletions(-)

diffs (112 lines):

diff -r 002f6944a6c5 -r b2d480d2cd6a lib/libbz2/decompress.c
--- a/lib/libbz2/decompress.c   Tue Jun 13 13:59:15 2000 +0000
+++ b/lib/libbz2/decompress.c   Tue Jun 13 14:12:28 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: decompress.c,v 1.8 1999/11/02 21:16:55 fvdl Exp $      */
+/*     $NetBSD: decompress.c,v 1.9 2000/06/13 14:12:28 simonb Exp $    */
 
 /*-------------------------------------------------------------*/
 /*--- Decompression machinery                               ---*/
@@ -114,6 +114,8 @@
 {                                                 \
    if (groupPos == 0) {                           \
       groupNo++;                                  \
+      if (groupNo >= nSelectors)                  \
+         RETURN(BZ_DATA_ERROR);                   \
       groupPos = BZ_G_SIZE;                       \
       gSel = s->selector[groupNo];                \
       gMinlen = s->minLens[gSel];                 \
@@ -124,11 +126,17 @@
    groupPos--;                                    \
    zn = gMinlen;                                  \
    GET_BITS(label1, zvec, zn);                    \
-   while (zvec > gLimit[zn]) {                    \
+   while (1) {                                    \
+      if (zn > 20 /* the longest code */)         \
+         RETURN(BZ_DATA_ERROR);                   \
+      if (zvec <= gLimit[zn]) break;              \
       zn++;                                       \
       GET_BIT(label2, zj);                        \
       zvec = (zvec << 1) | zj;                    \
    };                                             \
+   if (zvec - gBase[zn] < 0                       \
+       || zvec - gBase[zn] >= BZ_MAX_ALPHA_SIZE)  \
+      RETURN(BZ_DATA_ERROR);                      \
    lval = gPerm[zvec - gBase[zn]];                \
 }
 
@@ -289,6 +297,11 @@
       GET_UCHAR(BZ_X_ORIGPTR_3, uc);
       s->origPtr = (s->origPtr << 8) | ((Int32)uc);
 
+      if (s->origPtr < 0)
+         RETURN(BZ_DATA_ERROR);
+      if (s->origPtr > 10 + 100000*s->blockSize100k)
+         RETURN(BZ_DATA_ERROR);
+
       /*--- Receive the mapping table ---*/
       for (i = 0; i < 16; i++) {
          GET_BIT(BZ_X_MAPPING_1, uc);
@@ -306,18 +319,21 @@
                if (uc == 1) s->inUse[i * 16 + j] = True;
             }
       makeMaps_d ( s );
+      if (s->nInUse == 0) RETURN(BZ_DATA_ERROR);
       alphaSize = s->nInUse+2;
 
       /*--- Now the selectors ---*/
       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
+      if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
+      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
       for (i = 0; i < nSelectors; i++) {
          j = 0;
          while (True) {
             GET_BIT(BZ_X_SELECTOR_3, uc);
             if (uc == 0) break;
             j++;
-            if (j > 5) RETURN(BZ_DATA_ERROR);
+            if (j >= nGroups) RETURN(BZ_DATA_ERROR);
          }
          s->selectorMtf[i] = j;
       }
@@ -418,23 +434,24 @@
 
             if (s->smallDecompress)
                while (es > 0) {
+                  if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
                   s->ll16[nblock] = (UInt16)uc;
                   nblock++;
                   es--;
                }
             else
                while (es > 0) {
+                  if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
                   s->tt[nblock] = (UInt32)uc;
                   nblock++;
                   es--;
                };
 
-            if (nblock > nblockMAX) RETURN(BZ_DATA_ERROR);
             continue;
 
          } else {
 
-            if (nblock > nblockMAX) RETURN(BZ_DATA_ERROR);
+            if (nblock >= nblockMAX) RETURN(BZ_DATA_ERROR);
 
             /*-- uc = MTF ( nextSym-1 ) --*/
             {
@@ -501,6 +518,12 @@
          }
       }
 
+      /* Now we know what nblock is, we can do a better sanity
+         check on s->origPtr.
+      */
+      if (s->origPtr < 0 || s->origPtr >= nblock)
+         RETURN(BZ_DATA_ERROR);
+
       s->state_out_len = 0;
       s->state_out_ch  = 0;
       BZ_INITIALISE_CRC ( s->calculatedBlockCRC );



Home | Main Index | Thread Index | Old Index