Fix for an integer overflow bug that could cause a segfault on certain

pathological archives.

(Unlikely to have security implications, the only way to trigger it basically
wound up doing memset(dbuf,x,2^31) and triggering an immediate segfault.  The
test basically gives us a more polite error message.)

Thanks to Ned Ludd and the Gentoo security guys for finding this.

diff --git a/archival/libunarchive/decompress_bunzip2.c b/archival/libunarchive/decompress_bunzip2.c
index 34afd6f..df6fa07 100644 (file)
--- a/archival/libunarchive/decompress_bunzip2.c
+++ b/archival/libunarchive/decompress_bunzip2.c
@@ -413,7 +413,7 @@ got_huff_bits:
                           context).  Thus space is saved. */
 
                        t += (runPos << nextSym); /* +runPos if RUNA; +2*runPos if RUNB */
-                       runPos <<= 1;
+                       if(runPos < dbufSize) runPos <<= 1;
                        goto end_of_huffman_loop;
                }