0000411: byte overflow in decompress_unzip.c - BusyBox Bug and Patch Tracking

BusyBox Bug and Patch Tracking

Viewing Issue Simple Details [ Jump to Notes ]

[ View Advanced ] [ Issue History ] [ Print ]

Category

Severity

Reproducibility

Date Submitted

Last Update

0000411

[BusyBox] Other

minor

always

08-31-05 10:40

09-01-05 01:29

Reporter

avati

View Status

public

Assigned To

BusyBox

Priority

normal

Resolution

fixed

Status

closed

Product Version

1.00

Summary

0000411: byte overflow in decompress_unzip.c

Description

in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c
just after calling inflate_unzip() there is this line:

count = bytebuffer_size - bytebuffer_offset;
if (count < 8) {
...

but count is a char (1 byte) i hit a situation where bytebuffer_size -
bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
is a bb_xread_all in the 'if' condition which tries to read from in-fd
which has already eof'd)

count being 1 byte interpreted 2305 as 7 and wrongly entered the 'if'

as far as functionality is concerned this happens _after_ the actual
un-gzip and only the trailers are affected (which tar happily neglects
as it knows its boundry limit).. but the code is bad and results in
wrong exit status, which affected my script..

have attached a small diff which changes the char to int.. the fix most
likely is fixing the symptom and not the root cause, or maybe the root
cause itself.

Additional Information

diff attached

Attached Files

decompress_unzip.diff [^] (509 bytes) 08-31-05 10:40

Relationships

Notes
(0000475) landley 09-01-05 01:29	r11299

Issue History
Date Modified	Username	Field	Change
08-31-05 10:40	avati	New Issue
08-31-05 10:40	avati	Status	new => assigned
08-31-05 10:40	avati	Assigned To	=> BusyBox
08-31-05 10:40	avati	File Added: decompress_unzip.diff
09-01-05 01:29	landley	Status	assigned => closed
09-01-05 01:29	landley	Note Added: 0000475
09-01-05 01:29	landley	Resolution	open => fixed