Synopsis: Integer overflow in libbz2 decompression code
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mikolaj Izdebski, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2010-007
Index: dist/bzip2/decompress.c
===================================================================
RCS file: /cvsroot/src/dist/bzip2/decompress.c,v
diff -u
- --- dist/bzip2/decompress.c 18 Mar 2008 14:41:45 -0000 1.1.1.3
+++ dist/bzip2/decompress.c 22 Sep 2010 22:52:03 -0000 1.1.1.3.12.1
@@ -381,6 +381,13 @@
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)