* [PATCH] lib: decompress_bunzip2: fix 32-bit shift undefined behavior
@ 2026-03-08 16:50 Josh Law
0 siblings, 0 replies; only message in thread
From: Josh Law @ 2026-03-08 16:50 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel, Josh Law
From: Josh Law <objecting@objecting.org>
Fix undefined behavior caused by shifting a 32-bit integer by 32 bits
during decompression. This prevents potential kernel decompression
failures or corruption when parsing malicious or malformed bzip2
archives.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/decompress_bunzip2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
index ca736166f100..1288f146661f 100644
--- a/lib/decompress_bunzip2.c
+++ b/lib/decompress_bunzip2.c
@@ -135,7 +135,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
}
/* Avoid 32-bit overflow (dump bit buffer to top of output) */
if (bd->inbufBitCount >= 24) {
- bits = bd->inbufBits&((1 << bd->inbufBitCount)-1);
+ bits = bd->inbufBits & ((1ULL << bd->inbufBitCount) - 1);
bits_wanted -= bd->inbufBitCount;
bits <<= bits_wanted;
bd->inbufBitCount = 0;
@@ -146,7 +146,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
}
/* Calculate result */
bd->inbufBitCount -= bits_wanted;
- bits |= (bd->inbufBits >> bd->inbufBitCount)&((1 << bits_wanted)-1);
+ bits |= (bd->inbufBits >> bd->inbufBitCount) & ((1ULL << bits_wanted) - 1);
return bits;
}
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-08 16:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-08 16:50 [PATCH] lib: decompress_bunzip2: fix 32-bit shift undefined behavior Josh Law
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.