From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Yinghai Lu" , "Alain Knaff" , "Linus Torvalds" , "H. Peter Anvin" , "Dan Carpenter" Date: Tue, 17 Feb 2015 01:46:53 +0000 Message-ID: Subject: [PATCH 3.2 058/152] decompress_bunzip2: off by one in get_next_block() In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: 3.2.67-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Dan Carpenter commit b5c8afe5be51078a979d86ae5ae78c4ac948063d upstream. "origPtr" is used as an offset into the bd->dbuf[] array. That array is allocated in start_bunzip() and has "bd->dbufSize" number of elements so the test here should be >= instead of >. Later we check "origPtr" again before using it as an offset so I don't know if this bug can be triggered in real life. Fixes: bc22c17e12c1 ('bzip2/lzma: library support for gzip, bzip2 and lzma decompression') Signed-off-by: Dan Carpenter Cc: Alain Knaff Cc: Yinghai Lu Cc: "H. Peter Anvin" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Ben Hutchings --- lib/decompress_bunzip2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/lib/decompress_bunzip2.c +++ b/lib/decompress_bunzip2.c @@ -185,7 +185,7 @@ static int INIT get_next_block(struct bu if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT; origPtr = get_bits(bd, 24); - if (origPtr > dbufSize) + if (origPtr >= dbufSize) return RETVAL_DATA_ERROR; /* mapping table: if some byte values are never used (encoding things like ascii text), the compression code removes the gaps to have fewer