toybox

changeset 305:b094b81830b0

A pathological case of huffman coding that uses 8 bits to code each of 256 symbols could cause an unsigned char limit[8] to wrap back to 0, setting limit to -1 and making the decompressor exit with a data error.
author Rob Landley <rob@landley.net>
date Sat, 28 Jun 2008 01:07:34 -0500
parents 93223118c813
children 523441f8ed01
files lib/bunzip.c
diffstat 1 files changed, 3 insertions(+), 2 deletions(-) [+]
line diff
     1.1 --- a/lib/bunzip.c	Thu Jun 26 22:48:43 2008 -0500
     1.2 +++ b/lib/bunzip.c	Sat Jun 28 01:07:34 2008 -0500
     1.3 @@ -204,8 +204,9 @@
     1.4  	// literal symbols, plus two run symbols (RUNA, RUNB)
     1.5  	symCount = bd->symTotal+2;
     1.6  	for (jj=0; jj<bd->groupCount; jj++) {
     1.7 -		unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
     1.8 -		int	minLen,	maxLen, pp;
     1.9 +		unsigned char length[MAX_SYMBOLS];
    1.10 +		unsigned temp[MAX_HUFCODE_BITS+1];
    1.11 +		int minLen, maxLen, pp;
    1.12  
    1.13  		// Read lengths
    1.14  		hh = get_bits(bd, 5);