-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis: Integer overflow in libbz2 decompression code
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mikolaj Izdebski, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2010-007

Index: dist/bzip2/decompress.c
===================================================================
RCS file: /cvsroot/src/dist/bzip2/decompress.c,v
diff -u
- --- dist/bzip2/decompress.c   18 Mar 2008 14:41:45 -0000      1.1.1.3
+++ dist/bzip2/decompress.c     22 Sep 2010 22:52:03 -0000      1.1.1.3.12.1
@@ -381,6 +381,13 @@
            es = -1;
            N = 1;
            do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
               if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
               if (nextSym == BZ_RUNB) es = es + (1+1) * N;
               N = N * 2;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJMriavAAoJEAZJc6xMSnBuLr4P/jwS6I2Z1hGTHN7kNayS1+Mu
wSmYW/RRoKO35xByp8tHOa5biYy0i6ZSxNsoQdXsa0SK8y1xBPgqLVgMQcglgNrV
5Bzhh97OoLCIYiSLymumpozxHLUbNZFoxWMdv6JJIS/reyhoI9m3pcn6nhrHbT4W
FPg3RCX/PKe+Ng+9DuHHqs2+dBqP7n4oeVqgdxkiQOlsI29DZLtDj3jyS2XKNWhK
v2ZJi9QNsxL43PO2H7mlKluMbCQJBWLpDfvrGoI/d9iXM2CBgMLeapb0g8GWJgbC
/ToKKCJuO+icHU17rjqnFq/r98arWXTfFekuT+058e0dLx5eAq1aJ/lCZSlTnRVc
vTCwMVzqMuJl4eVtqtGUj9NZnngLX8X5+7KU7ryxJA8z5GoSaLxoKAA42SB4MX0k
72eDCXqH0PeGfN3nviZtKwTXP9b3jOpr5mnVT5U9TUzyGur+dc4owylOXj0fLrZP
4ITKwjbBl96G/SSXoR2CMQ96Sm1su9Emny/5aQY21VCgUCpu1EanbiWbiftXc/XX
QgB8NlicHmJYtYMsCsHs2TQ3fyABBi5XYoxf/ngZoT1mhe7+tFfC3DP7AK2W5ujE
udMCMb14CgU0YWQV6LmL7KNBP7kE4IIF+m4pRKg2myIfQAxRJuPs1ecdvzgSLOZT
k3s/sOIt7WDh5FIBmrla
=x0tG
-----END PGP SIGNATURE-----

You are viewing proxied material from ftp.icm.edu.pl. The copyright of proxied material belongs to its original authors. Any comments or complaints in relation to proxied material should be directed to the original authors of the content concerned. Please see the disclaimer for more details.