Synopsis: Integer overflow in libbz2 decompression code NetBSD versions: 5.0, 4.0.1, 4.0 Thanks to: Mikolaj Izdebski, Christos Zoulas Reported in NetBSD Security Advisory: NetBSD-SA2010-007 Index: dist/bzip2/decompress.c =================================================================== RCS file: /cvsroot/src/dist/bzip2/decompress.c,v diff -u --- dist/bzip2/decompress.c 18 Mar 2008 14:41:45 -0000 1.1.1.3 +++ dist/bzip2/decompress.c 22 Sep 2010 22:52:03 -0000 1.1.1.3.12.1 @@ -381,6 +381,13 @@ es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2;