diff options
author | Denys Vlasenko | 2013-10-06 22:53:14 +0200 |
---|---|---|
committer | Denys Vlasenko | 2013-10-06 22:53:14 +0200 |
commit | 932e233a491b6a5b9293ace04ef74667a95d739c (patch) | |
tree | 8c796251df17be67d8e7a285e916a8d29ddcda8b | |
parent | cd256e1c407aa70dfefb7178ed2c0e4201f1aaf7 (diff) | |
download | busybox-932e233a491b6a5b9293ace04ef74667a95d739c.zip busybox-932e233a491b6a5b9293ace04ef74667a95d739c.tar.gz |
bunzip2: fix off-by-one check
stage3-armv7a_hardfp-20130209.tar.bz2, 149189948 bytes long,
md5sum b29ce23312e14eb15a143377d4a38473, was failing to unpack.
It so happened that this file has a run which exactly fills
the 90k buffer. The check was "size >= bufsize", apparently
it has to be ">".
Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
-rw-r--r-- | archival/libarchive/decompress_bunzip2.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/archival/libarchive/decompress_bunzip2.c b/archival/libarchive/decompress_bunzip2.c index dc252bb..fb1f292 100644 --- a/archival/libarchive/decompress_bunzip2.c +++ b/archival/libarchive/decompress_bunzip2.c @@ -42,6 +42,12 @@ #include "libbb.h" #include "bb_archive.h" +#if 0 +# define dbg(...) bb_error_msg(__VA_ARGS__) +#else +# define dbg(...) ((void)0) +#endif + /* Constants for Huffman coding */ #define MAX_GROUPS 6 #define GROUP_SIZE 50 /* 64 would have been more efficient */ @@ -52,13 +58,13 @@ /* Status return values */ #define RETVAL_OK 0 -#define RETVAL_LAST_BLOCK (-1) -#define RETVAL_NOT_BZIP_DATA (-2) -#define RETVAL_UNEXPECTED_INPUT_EOF (-3) -#define RETVAL_SHORT_WRITE (-4) -#define RETVAL_DATA_ERROR (-5) -#define RETVAL_OUT_OF_MEMORY (-6) -#define RETVAL_OBSOLETE_INPUT (-7) +#define RETVAL_LAST_BLOCK (dbg("%d", __LINE__), -1) +#define RETVAL_NOT_BZIP_DATA (dbg("%d", __LINE__), -2) +#define RETVAL_UNEXPECTED_INPUT_EOF (dbg("%d", __LINE__), -3) +#define RETVAL_SHORT_WRITE (dbg("%d", __LINE__), -4) +#define RETVAL_DATA_ERROR (dbg("%d", __LINE__), -5) +#define RETVAL_OUT_OF_MEMORY (dbg("%d", __LINE__), -6) +#define RETVAL_OBSOLETE_INPUT (dbg("%d", __LINE__), -7) /* Other housekeeping constants */ #define IOBUF_SIZE 4096 @@ -440,7 +446,11 @@ static int get_next_block(bunzip_data *bd) literal used is the one at the head of the mtfSymbol array.) */ if (runPos != 0) { uint8_t tmp_byte; - if (dbufCount + runCnt >= dbufSize) return RETVAL_DATA_ERROR; + if (dbufCount + runCnt > dbufSize) { + dbg("dbufCount:%d+runCnt:%d %d > dbufSize:%d RETVAL_DATA_ERROR", + dbufCount, runCnt, dbufCount + runCnt, dbufSize); + return RETVAL_DATA_ERROR; + } tmp_byte = symToByte[mtfSymbol[0]]; byteCount[tmp_byte] += runCnt; while (--runCnt >= 0) dbuf[dbufCount++] = (uint32_t)tmp_byte; |