-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Synopsis: Integer overflow in libbz2 decompression code NetBSD versions: 5.0, 4.0.1, 4.0 Thanks to: Mikolaj Izdebski, Christos Zoulas Reported in NetBSD Security Advisory: NetBSD-SA2010-007 Index: dist/bzip2/decompress.c =================================================================== RCS file: /cvsroot/src/dist/bzip2/decompress.c,v diff -u - --- dist/bzip2/decompress.c 18 Mar 2008 14:41:45 -0000 1.1.1.3 +++ dist/bzip2/decompress.c 22 Sep 2010 22:52:03 -0000 1.1.1.3.12.1 @@ -381,6 +381,13 @@ es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (NetBSD) iQIcBAEBAgAGBQJMriavAAoJEAZJc6xMSnBuLr4P/jwS6I2Z1hGTHN7kNayS1+Mu wSmYW/RRoKO35xByp8tHOa5biYy0i6ZSxNsoQdXsa0SK8y1xBPgqLVgMQcglgNrV 5Bzhh97OoLCIYiSLymumpozxHLUbNZFoxWMdv6JJIS/reyhoI9m3pcn6nhrHbT4W FPg3RCX/PKe+Ng+9DuHHqs2+dBqP7n4oeVqgdxkiQOlsI29DZLtDj3jyS2XKNWhK v2ZJi9QNsxL43PO2H7mlKluMbCQJBWLpDfvrGoI/d9iXM2CBgMLeapb0g8GWJgbC /ToKKCJuO+icHU17rjqnFq/r98arWXTfFekuT+058e0dLx5eAq1aJ/lCZSlTnRVc vTCwMVzqMuJl4eVtqtGUj9NZnngLX8X5+7KU7ryxJA8z5GoSaLxoKAA42SB4MX0k 72eDCXqH0PeGfN3nviZtKwTXP9b3jOpr5mnVT5U9TUzyGur+dc4owylOXj0fLrZP 4ITKwjbBl96G/SSXoR2CMQ96Sm1su9Emny/5aQY21VCgUCpu1EanbiWbiftXc/XX QgB8NlicHmJYtYMsCsHs2TQ3fyABBi5XYoxf/ngZoT1mhe7+tFfC3DP7AK2W5ujE udMCMb14CgU0YWQV6LmL7KNBP7kE4IIF+m4pRKg2myIfQAxRJuPs1ecdvzgSLOZT k3s/sOIt7WDh5FIBmrla =x0tG -----END PGP SIGNATURE-----