diff options
author | Amin Hassani <ahassani@chromium.org> | 2019-03-08 09:58:20 -0800 |
---|---|---|
committer | Sen Jiang <senj@google.com> | 2019-03-29 11:37:50 -0700 |
commit | 7861376124e26e837e1037c1f2aa05e7de9b9d6d (patch) | |
tree | 53751137418d841ff7ac871d717ee7ffbbc065ed | |
parent | d3f226c5294865ab8c07f170067ffa48bb3413a9 (diff) | |
download | bzip2-7861376124e26e837e1037c1f2aa05e7de9b9d6d.tar.gz |
Check for upper bounds of nselectors.
Currently there is no check for the upper bounds of the
nselectors. Hence, a corrupt input can cause a segfault.
This issue was discovered by one of our fuzzers. The actual error was:
../bzip2-1.0.6/decompress.c:299:10: runtime error: index 18002 out of bounds for type 'UChar [18002]'
Test: mma
Change-Id: Ie16067b2101bfdf6d54f6892a717e66f7420e926
-rw-r--r-- | decompress.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/decompress.c b/decompress.c index 311f566..391552d 100644 --- a/decompress.c +++ b/decompress.c @@ -288,6 +288,7 @@ Int32 BZ2_decompress ( DState* s ) if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR); GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); if (nSelectors < 1) RETURN(BZ_DATA_ERROR); + if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); for (i = 0; i < nSelectors; i++) { j = 0; while (True) { |