* [PATCH] lib: decompress_bunzip2: fix 32-bit shift undefined behavior
@ 2026-03-08 16:50 Josh Law
0 siblings, 0 replies; only message in thread
From: Josh Law @ 2026-03-08 16:50 UTC (permalink / raw)
To: Andrew Morton; +Cc: linux-kernel, Josh Law
From: Josh Law <objecting@objecting.org>
Fix undefined behavior caused by shifting a 32-bit integer by 32 bits
during decompression. This prevents potential kernel decompression
failures or corruption when parsing malicious or malformed bzip2
archives.
Signed-off-by: Josh Law <objecting@objecting.org>
---
lib/decompress_bunzip2.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
index ca736166f100..1288f146661f 100644
--- a/lib/decompress_bunzip2.c
+++ b/lib/decompress_bunzip2.c
@@ -135,7 +135,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
}
/* Avoid 32-bit overflow (dump bit buffer to top of output) */
if (bd->inbufBitCount >= 24) {
- bits = bd->inbufBits&((1 << bd->inbufBitCount)-1);
+ bits = bd->inbufBits & ((1ULL << bd->inbufBitCount) - 1);
bits_wanted -= bd->inbufBitCount;
bits <<= bits_wanted;
bd->inbufBitCount = 0;
@@ -146,7 +146,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
}
/* Calculate result */
bd->inbufBitCount -= bits_wanted;
- bits |= (bd->inbufBits >> bd->inbufBitCount)&((1 << bits_wanted)-1);
+ bits |= (bd->inbufBits >> bd->inbufBitCount) & ((1ULL << bits_wanted) - 1);
return bits;
}
--
2.43.0
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2026-03-08 16:50 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-03-08 16:50 [PATCH] lib: decompress_bunzip2: fix 32-bit shift undefined behavior Josh Law
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox