From: Rob Landley <rob@landley.net>
Date: Sat, 28 Jun 2008 06:07:34 +0000 (-0500)
Subject: A pathological case of huffman coding that uses 8 bits to code each of 256
X-Git-Tag: 0.0.7~12
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=8cca60d64e4b0c4f45fdb0bf5517869867d51a6e;p=platform%2Fupstream%2Ftoybox.git

A pathological case of huffman coding that uses 8 bits to code each of 256
symbols could cause an unsigned char limit[8] to wrap back to 0, setting
limit to -1 and making the decompressor exit with a data error.
---

diff --git a/lib/bunzip.c b/lib/bunzip.c
index f923b0c..ae84289 100644
--- a/lib/bunzip.c
+++ b/lib/bunzip.c
@@ -204,8 +204,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
 	// literal symbols, plus two run symbols (RUNA, RUNB)
 	symCount = bd->symTotal+2;
 	for (jj=0; jj<bd->groupCount; jj++) {
-		unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
-		int	minLen,	maxLen, pp;
+		unsigned char length[MAX_SYMBOLS];
+		unsigned temp[MAX_HUFCODE_BITS+1];
+		int minLen, maxLen, pp;
 
 		// Read lengths
 		hh = get_bits(bd, 5);