[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] bunzip2: off by one in get_next_block()

"origPtr" is used as an offset into the bd->dbuf[] array.  That array is
allocated in start_bunzip() and has "bd->dbufSize" number of elements so
the test here should be >= instead of >.

Later we check "origPtr" again before using it as an offset so I don't
know if this bug can be triggered in real life.

Signed-off-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>

Trivial adjustments to make the respective Linux commit
b5c8afe5be51078a979d86ae5ae78c4ac948063d apply to Xen.

Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx>

--- a/xen/common/bunzip2.c
+++ b/xen/common/bunzip2.c
@@ -174,7 +174,7 @@ static int INIT get_next_block(struct bu
        if (get_bits(bd, 1))
                return RETVAL_OBSOLETE_INPUT;
        origPtr = get_bits(bd, 24);
-       if (origPtr > dbufSize)
+       if (origPtr >= dbufSize)
                return RETVAL_DATA_ERROR;
        /* mapping table: if some byte values are never used (encoding things
           like ascii text), the compression code removes the gaps to have fewer

Attachment: bunzip2-off-by-one.patch
Description: Text document

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.