From 0d8c652c46e49e71bbc93e405252ea87cfbe6c89 Mon Sep 17 00:00:00 2001 From: Manuel Novoa III Date: Tue, 1 Mar 2005 19:29:29 +0000 Subject: When filling the bit buffer, gzip decompression apparently never checked for end of file, causing it to hang on corrupted input. --- archival/libunarchive/decompress_unzip.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'archival/libunarchive') diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c index e8cf54b..b17065d 100644 --- a/archival/libunarchive/decompress_unzip.c +++ b/archival/libunarchive/decompress_unzip.c @@ -151,7 +151,10 @@ static unsigned int fill_bitbuffer(unsigned int bitbuffer, unsigned int *current /* Leave the first 4 bytes empty so we can always unwind the bitbuffer * to the front of the bytebuffer, leave 4 bytes free at end of tail * so we can easily top up buffer in check_trailer_gzip() */ - bytebuffer_size = 4 + bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8); + if (!(bytebuffer_size = bb_xread(gunzip_src_fd, &bytebuffer[4], bytebuffer_max - 8))) { + bb_error_msg_and_die("unexpected end of file"); + } + bytebuffer_size += 4; bytebuffer_offset = 4; } bitbuffer |= ((unsigned int) bytebuffer[bytebuffer_offset]) << *current; -- cgit v1.1