summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorDenys Vlasenko2013-10-06 22:53:14 +0200
committerDenys Vlasenko2013-10-06 22:53:14 +0200
commit932e233a491b6a5b9293ace04ef74667a95d739c (patch)
tree8c796251df17be67d8e7a285e916a8d29ddcda8b
parentcd256e1c407aa70dfefb7178ed2c0e4201f1aaf7 (diff)
downloadbusybox-932e233a491b6a5b9293ace04ef74667a95d739c.zip
busybox-932e233a491b6a5b9293ace04ef74667a95d739c.tar.gz
bunzip2: fix off-by-one check
stage3-armv7a_hardfp-20130209.tar.bz2, 149189948 bytes long, md5sum b29ce23312e14eb15a143377d4a38473, was failing to unpack. It so happened that this file has a run which exactly fills the 90k buffer. The check was "size >= bufsize", apparently it has to be ">". Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r--archival/libarchive/decompress_bunzip2.c26
1 files changed, 18 insertions, 8 deletions
diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c
index dc252bb..fb1f292 100644
--- a/archival/libarchive/decompress_bunzip2.c
+++ b/archival/libarchive/decompress_bunzip2.c
@@ -42,6 +42,12 @@
#include "libbb.h"
#include "bb_archive.h"
+#if 0
+# define dbg(...) bb_error_msg(__VA_ARGS__)
+#else
+# define dbg(...) ((void)0)
+#endif
+
/* Constants for Huffman coding */
#define MAX_GROUPS 6
#define GROUP_SIZE 50 /* 64 would have been more efficient */
@@ -52,13 +58,13 @@
/* Status return values */
#define RETVAL_OK 0
-#define RETVAL_LAST_BLOCK (-1)
-#define RETVAL_NOT_BZIP_DATA (-2)
-#define RETVAL_UNEXPECTED_INPUT_EOF (-3)
-#define RETVAL_SHORT_WRITE (-4)
-#define RETVAL_DATA_ERROR (-5)
-#define RETVAL_OUT_OF_MEMORY (-6)
-#define RETVAL_OBSOLETE_INPUT (-7)
+#define RETVAL_LAST_BLOCK (dbg("%d", __LINE__), -1)
+#define RETVAL_NOT_BZIP_DATA (dbg("%d", __LINE__), -2)
+#define RETVAL_UNEXPECTED_INPUT_EOF (dbg("%d", __LINE__), -3)
+#define RETVAL_SHORT_WRITE (dbg("%d", __LINE__), -4)
+#define RETVAL_DATA_ERROR (dbg("%d", __LINE__), -5)
+#define RETVAL_OUT_OF_MEMORY (dbg("%d", __LINE__), -6)
+#define RETVAL_OBSOLETE_INPUT (dbg("%d", __LINE__), -7)
/* Other housekeeping constants */
#define IOBUF_SIZE 4096
@@ -440,7 +446,11 @@ static int get_next_block(bunzip_data *bd)
literal used is the one at the head of the mtfSymbol array.) */
if (runPos != 0) {
uint8_t tmp_byte;
- if (dbufCount + runCnt >= dbufSize) return RETVAL_DATA_ERROR;
+ if (dbufCount + runCnt > dbufSize) {
+ dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR",
+ dbufCount, runCnt, dbufCount + runCnt, dbufSize);
+ return RETVAL_DATA_ERROR;
+ }
tmp_byte = symToByte[mtfSymbol[0]];
byteCount[tmp_byte] += runCnt;
while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte;