Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP2:GA
bzip2
bzip2-1.0.6-CVE-2019-12900.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bzip2-1.0.6-CVE-2019-12900.patch of Package bzip2
From 812a898b7622de90e98f103ff7fed0984e4548e4 Mon Sep 17 00:00:00 2001 From: Mark Wielaard <mark@klomp.org> Date: Wed, 3 Jul 2019 01:28:11 +0200 Subject: [PATCH] Accept as many selectors as the file format allows. But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. The theoretical maximum number of selectors depends on the maximum blocksize (900000 bytes) and the number of symbols (50) that can be encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. But the bzip2 file format allows the number of selectors to be encoded with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in 14 bits). So the file format maximum is 32767 selectors. Some bzip2 encoders might actually have written out more selectors than the theoretical maximum because they rounded up the number of selectors to some convenient factor of 8. The extra 14766 selectors can never be validly used by the decompression algorithm. So we can read them, but then discard them. This is effectively what was done (by accident) before we added a check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate CVE-2019-12900. The extra selectors were written out after the array inside the EState struct. But the struct has extra space allocated after the selector arrays of 18060 bytes (which is larger than 14766). All of which will be initialized later (so the overwrite of that space with extra selector values would have been harmless). --- compress.c | 2 +- decompress.c | 10 ++++++++-- 2 files changed, 9 insertions(+), 3 deletions(-) Index: bzip2-1.0.6/decompress.c =================================================================== --- bzip2-1.0.6.orig/decompress.c +++ bzip2-1.0.6/decompress.c @@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s ) j++; if (j >= nGroups) RETURN(BZ_DATA_ERROR); } - s->selectorMtf[i] = j; + /* Having more than BZ_MAX_SELECTORS doesn't make much sense + since they will never be used, but some implementations might + "round up" the number of selectors, so just ignore those. */ + if (i < BZ_MAX_SELECTORS) + s->selectorMtf[i] = j; } + if (nSelectors > BZ_MAX_SELECTORS) + nSelectors = BZ_MAX_SELECTORS; /*--- Undo the MTF values for the selectors. ---*/ { Index: bzip2-1.0.6/compress.c =================================================================== --- bzip2-1.0.6.orig/compress.c +++ bzip2-1.0.6/compress.c @@ -454,7 +454,7 @@ void sendMTFValues ( EState* s ) AssertH( nGroups < 8, 3002 ); AssertH( nSelectors < 32768 && - nSelectors <= (2 + (900000 / BZ_G_SIZE)), + nSelectors <= BZ_MAX_SELECTORS, 3003 );
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor