Date: Mon, 20 Sep 2010 14:58:08 +0000 (UTC) From: Colin Percival <cperciva@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-releng@freebsd.org Subject: svn commit: r212901 - head/contrib/bzip2 releng/6.4 releng/6.4/contrib/bzip2 releng/6.4/sys/conf releng/7.1 releng/7.1/contrib/bzip2 releng/7.1/sys/conf releng/7.3 releng/7.3/contrib/bzip2 releng/7... Message-ID: <201009201458.o8KEw8D3055733@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: cperciva Date: Mon Sep 20 14:58:08 2010 New Revision: 212901 URL: http://svn.freebsd.org/changeset/base/212901 Log: Fix an integer overflow in RLE length parsing when decompressing corrupt bzip2 data. Approved by: so (cperciva) Security: FreeBSD-SA-10:08.bzip2 Modified: releng/6.4/UPDATING releng/6.4/contrib/bzip2/decompress.c releng/6.4/sys/conf/newvers.sh releng/7.1/UPDATING releng/7.1/contrib/bzip2/decompress.c releng/7.1/sys/conf/newvers.sh releng/7.3/UPDATING releng/7.3/contrib/bzip2/decompress.c releng/7.3/sys/conf/newvers.sh releng/8.0/UPDATING releng/8.0/contrib/bzip2/decompress.c releng/8.0/sys/conf/newvers.sh releng/8.1/UPDATING releng/8.1/contrib/bzip2/decompress.c releng/8.1/sys/conf/newvers.sh Changes in other areas also in this revision: Modified: head/contrib/bzip2/decompress.c stable/6/contrib/bzip2/decompress.c stable/7/contrib/bzip2/decompress.c stable/8/contrib/bzip2/decompress.c Modified: releng/6.4/UPDATING ============================================================================== --- releng/6.4/UPDATING Mon Sep 20 13:48:07 2010 (r212900) +++ releng/6.4/UPDATING Mon Sep 20 14:58:08 2010 (r212901) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100920: p11 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100526: p10 FreeBSD-SA-10:05.opie Fix a one-NUL-byte buffer overflow in libopie. [10:05] Modified: releng/6.4/contrib/bzip2/decompress.c ============================================================================== --- releng/6.4/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ releng/6.4/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; Modified: releng/6.4/sys/conf/newvers.sh ============================================================================== --- releng/6.4/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010 (r212900) +++ releng/6.4/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010 (r212901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="6.4" -BRANCH="RELEASE-p10" +BRANCH="RELEASE-p11" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.1/UPDATING ============================================================================== --- releng/7.1/UPDATING Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.1/UPDATING Mon Sep 20 14:58:08 2010 (r212901) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100920: p14 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100713: p13 FreeBSD-SA-10:07.mbuf Correctly copy the M_RDONLY flag when duplicating a reference to an mbuf external buffer. Modified: releng/7.1/contrib/bzip2/decompress.c ============================================================================== --- releng/7.1/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.1/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; Modified: releng/7.1/sys/conf/newvers.sh ============================================================================== --- releng/7.1/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.1/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010 (r212901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.1" -BRANCH="RELEASE-p13" +BRANCH="RELEASE-p14" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/7.3/UPDATING ============================================================================== --- releng/7.3/UPDATING Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.3/UPDATING Mon Sep 20 14:58:08 2010 (r212901) @@ -8,6 +8,10 @@ Items affecting the ports and packages s /usr/ports/UPDATING. Please read that file before running portupgrade. +20100920: p3 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100713: p2 FreeBSD-SA-10:07.mbuf Correctly copy the M_RDONLY flag when duplicating a reference to an mbuf external buffer. Modified: releng/7.3/contrib/bzip2/decompress.c ============================================================================== --- releng/7.3/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.3/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; Modified: releng/7.3/sys/conf/newvers.sh ============================================================================== --- releng/7.3/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010 (r212900) +++ releng/7.3/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010 (r212901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="7.3" -BRANCH="RELEASE-p2" +BRANCH="RELEASE-p3" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.0/UPDATING ============================================================================== --- releng/8.0/UPDATING Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.0/UPDATING Mon Sep 20 14:58:08 2010 (r212901) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20100920: p5 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100713: p4 FreeBSD-SA-10:07.mbuf Correctly copy the M_RDONLY flag when duplicating a reference to an mbuf external buffer. Modified: releng/8.0/contrib/bzip2/decompress.c ============================================================================== --- releng/8.0/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.0/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; Modified: releng/8.0/sys/conf/newvers.sh ============================================================================== --- releng/8.0/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.0/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010 (r212901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.0" -BRANCH="RELEASE-p4" +BRANCH="RELEASE-p5" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi Modified: releng/8.1/UPDATING ============================================================================== --- releng/8.1/UPDATING Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.1/UPDATING Mon Sep 20 14:58:08 2010 (r212901) @@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8. debugging tools present in HEAD were left in place because sun4v support still needs work to become production ready. +20100920: p1 FreeBSD-SA-10:08.bzip2 + Fix an integer overflow in RLE length parsing when decompressing + corrupt bzip2 data. + 20100720: 8.1-RELEASE. Modified: releng/8.1/contrib/bzip2/decompress.c ============================================================================== --- releng/8.1/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.1/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010 (r212901) @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; Modified: releng/8.1/sys/conf/newvers.sh ============================================================================== --- releng/8.1/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010 (r212900) +++ releng/8.1/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010 (r212901) @@ -32,7 +32,7 @@ TYPE="FreeBSD" REVISION="8.1" -BRANCH="RELEASE" +BRANCH="RELEASE-p1" if [ "X${BRANCH_OVERRIDE}" != "X" ]; then BRANCH=${BRANCH_OVERRIDE} fi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201009201458.o8KEw8D3055733>