summaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorDan Carpenter <dan.carpenter@oracle.com>2014-12-12 16:58:05 -0800
committerLinus Torvalds <torvalds@linux-foundation.org>2014-12-13 12:42:52 -0800
commitb5c8afe5be51078a979d86ae5ae78c4ac948063d (patch)
treeba14dd243cc624d08e0381b1026a9b70c519b43d /lib
parentec72c666fb345ea5f21359b7bc063710ce558e39 (diff)
downloadlinux-b5c8afe5be51078a979d86ae5ae78c4ac948063d.tar.gz
linux-b5c8afe5be51078a979d86ae5ae78c4ac948063d.tar.bz2
linux-b5c8afe5be51078a979d86ae5ae78c4ac948063d.zip
decompress_bunzip2: off by one in get_next_block()
"origPtr" is used as an offset into the bd->dbuf[] array. That array is allocated in start_bunzip() and has "bd->dbufSize" number of elements so the test here should be >= instead of >. Later we check "origPtr" again before using it as an offset so I don't know if this bug can be triggered in real life. Fixes: bc22c17e12c1 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression') Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Cc: Alain Knaff <alain@knaff.lu> Cc: Yinghai Lu <yinghai@kernel.org> Cc: "H. Peter Anvin" <hpa@zytor.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'lib')
-rw-r--r--lib/decompress_bunzip2.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
index 8290e0bef7ea..6dd0335ea61b 100644
--- a/lib/decompress_bunzip2.c
+++ b/lib/decompress_bunzip2.c
@@ -184,7 +184,7 @@ static int INIT get_next_block(struct bunzip_data *bd)
if (get_bits(bd, 1))
return RETVAL_OBSOLETE_INPUT;
origPtr = get_bits(bd, 24);
- if (origPtr > dbufSize)
+ if (origPtr >= dbufSize)
return RETVAL_DATA_ERROR;
/* mapping table: if some byte values are never used (encoding things
like ascii text), the compression code removes the gaps to have fewer