Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
xen.481
54c90530-bunzip2-off-by-one-in-get_next_block.p...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File 54c90530-bunzip2-off-by-one-in-get_next_block.patch of Package xen.481
# Commit 39798e95a954eec660a3f5f21489c30ef78daf6d # Date 2015-01-28 16:50:08 +0100 # Author Dan Carpenter <dan.carpenter@oracle.com> # Committer Jan Beulich <jbeulich@suse.com> bunzip2: off by one in get_next_block() "origPtr" is used as an offset into the bd->dbuf[] array. That array is allocated in start_bunzip() and has "bd->dbufSize" number of elements so the test here should be >= instead of >. Later we check "origPtr" again before using it as an offset so I don't know if this bug can be triggered in real life. Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> Trivial adjustments to make the respective Linux commit b5c8afe5be51078a979d86ae5ae78c4ac948063d apply to Xen. Signed-off-by: Jan Beulich <jbeulich@suse.com> Acked-by: Ian Campbell <ian.campbell@citrix.com> --- a/xen/common/bunzip2.c +++ b/xen/common/bunzip2.c @@ -174,7 +174,7 @@ static int INIT get_next_block(struct bu if (get_bits(bd, 1)) return RETVAL_OBSOLETE_INPUT; origPtr = get_bits(bd, 24); - if (origPtr > dbufSize) + if (origPtr >= dbufSize) return RETVAL_DATA_ERROR; /* mapping table: if some byte values are never used (encoding things like ascii text), the compression code removes the gaps to have fewer
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor