From 5ad93f32da3e2ac70b1fa929889d3034c79f7ed6 Mon Sep 17 00:00:00 2001
From: Rob Landley <rob@landley.net>
Date: Thu, 3 Mar 2016 11:07:59 -0600
Subject: [PATCH] Fix bzcat integer overflow reported by John Regehr.

---
 tests/bzcat.test               |   4 ++++
 tests/files/bzcat/overflow.bz2 | Bin 0 -> 993 bytes
 toys/other/bzcat.c             |   8 +++++---
 3 files changed, 9 insertions(+), 3 deletions(-)
 create mode 100644 tests/files/bzcat/overflow.bz2

diff --git a/tests/bzcat.test b/tests/bzcat.test
index 4eacc684..ef1b07f5 100755
--- a/tests/bzcat.test
+++ b/tests/bzcat.test
@@ -6,6 +6,10 @@
 [ -f testing.sh ] && . testing.sh
 
 #testing "name" "command" "result" "infile" "stdin"
+testing "overflow" \
+  'bzcat "$TOPDIR/files/bzcat/overflow.bz2" >/dev/null 2>/dev/null;
+   [ $? -eq 1 ] && echo good' "good\n" "" ""
+
 echo "hello" > file
 tar -cjf file.tar.bz2 file
 # Get system bzcat
diff --git a/tests/files/bzcat/overflow.bz2 b/tests/files/bzcat/overflow.bz2
new file mode 100644
index 0000000000000000000000000000000000000000..9ac7947b20e41fa29fbfca0ab60d1538146e723f
GIT binary patch
literal 993
zcmV<710MWBT4*^jL0KkKSsbRm!vF)y|NsC0|NT#U{QK|kzU05}|M1XYKmbG_13(H8
zVMrpNU`WsdCcG#cu$CZ2JrZW8r~}l|h||=_10Vo2007fK0qOt%XaL9oq)imwrkE&t
zn@NZRKmZ0tfB*mh00003AOLEo<xdcx)5$a*pa1}Aqd*3L$QleF0MIf3Gynrc8e(E%
zU?u`!0000J002w?0$>0D049MVNJdQ%(^Cni(KOV?qd>`#nhA(wAsA&EG!Ia~m`_H4
zZA~UJjYTMybmiLMmt+8;K@)_Ri5OMb9?#*i4sF{|Dz0)F7UINYfGLDaCluyLHh2uk
ziTMBk002WL0-*{LB`<4l%Nl}4WR=*xis=X=#daKp6M}5oeqnb2gOfE76A;78hpVh9
zX@S6R)4}7J%S`i^8?L?XSpd+t9Nq&&AE|_}h_wM<i4Xw^Bmx@>+r!iJZD6xtJkT4T
z-f1%A5X4o@mL8wQjnJl(8KjeKfVxbEo4=8vLYh+3eLP5<MGZD4(necAAA3n734>@!
z8I!^dHY^O+XzQ^Yda@)~X=^piV)|MVI=li<(_n_%LKoK3Q1qE`o+Gu<o)V|KPzmwr
z>RoA}ZRyX_9bVyxFzC)Xg2e`~(J$lch9JHGu=qYnjMkl`6!UAIl{#%)&x{c%P}|3G
z&xNcwh!vTj{Q4Dh=0QU{w_pQfW~l{rq7p`_^1+70m-VlogV#O5q#I7$ptY-Y$bpsI
z++=O%B*P`7q{~j0sSw9BBt8@eeWSq8Q2Ot>{nYoFJyXe`B0q^(<VCh8R45;ed&W^H
zrK`1AV!tFpQ)v4aM!D#-%(6{B^uT(Hd35Fdo#LxoBdy%hX2JDr9J&n@^m#-vjetZ8
z5Fk*5Drm$ALU4GQFiCbjg31npTC1IDwsTrtWWB>UahC5E5gL>-L}_71=`T?@!9PGb
z;1wDamUyIZw2xqdO$&@3SAJ>gxHX}-&0h-TOs}cnBS8(af#D3WL(NubCdpDPEt3M!
zTTi8zEFd*83NJ+*ScS`UFe_Jfo#@+Mc!?LR$^||28i5m6JvfUnuG=v{#V3>*QpMCP
z%R3;wYbdrV(^S@lC^ps$ihOKXk7FTtOsIj2CSh8`ZP<+@0Ld=m1QLR)NG1wVAW%5j
zon=6C032EApiP-jydokZA|fIpA|fIpA|fIpBExY|M|i+P4YE#!{TX1NUM%rG5R`$q
z984fnq^UBXFa;~{7278W%r|pWk1f)zHJUH{_S2pAwZ&#}G-fv`N(&%Q?~{6=kh&R|
PpYe?(Q-uiugJ-LteqpbU

literal 0
HcmV?d00001

diff --git a/toys/other/bzcat.c b/toys/other/bzcat.c
index 1081b5e9..fdad9a01 100644
--- a/toys/other/bzcat.c
+++ b/toys/other/bzcat.c
@@ -319,9 +319,9 @@ static int read_block_header(struct bunzip_data *bd, struct bwdata *bw)
 static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
 {
   struct group_data *hufGroup;
-  int hh, ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
+  int ii, jj, kk, runPos, dbufCount, symCount, selector, nextSym,
     *byteCount, *base, *limit;
-  unsigned int *dbuf = bw->dbuf;
+  unsigned hh, *dbuf = bw->dbuf;
   unsigned char uc;
 
   // We've finished reading and digesting the block header.  Now read this
@@ -401,7 +401,9 @@ static int read_huffman_data(struct bunzip_data *bd, struct bwdata *bw)
        literal used is the one at the head of the mtfSymbol array.) */
     if (runPos) {
       runPos = 0;
-      if (dbufCount+hh > bd->dbufSize) return RETVAL_DATA_ERROR;
+      // Check for integer overflow
+      if (hh>bd->dbufSize || dbufCount+hh>bd->dbufSize)
+        return RETVAL_DATA_ERROR;
 
       uc = bd->symToByte[bd->mtfSymbol[0]];
       byteCount[uc] += hh;
-- 
2.39.2