[PATCH] decompress_bunzip2: Fix rare decompression failure

From: Ross Lagerwall
Date: Wed Jul 17 2024 - 12:21:04 EST

Next message: Moger, Babu: "Re: [PATCH v5 20/20] x86/resctrl: Introduce interface to modify assignment states of the groups"
Previous message: Jassi Brar: "Re: [PATCH 2/2] mailbox: mtk-cmdq: Move pm_runimte_get and put to mbox_chan_ops API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The decompression code parses a huffman tree and counts the number of
symbols for a given bit length. In rare cases, there may be >= 256
symbols with a given bit length, causing the unsigned char to overflow.
This causes a decompression failure later when the code tries and fails
to find the bit length for a given symbol.

Since the maximum number of symbols is 258, use unsigned short instead.

Fixes: bc22c17e12c1 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression")
Signed-off-by: Ross Lagerwall <ross.lagerwall@xxxxxxxxxx>
---
lib/decompress_bunzip2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
index 3518e7394eca..ca736166f100 100644
--- a/lib/decompress_bunzip2.c
+++ b/lib/decompress_bunzip2.c
@@ -232,7 +232,8 @@ static int INIT get_next_block(struct bunzip_data *bd)
RUNB) */
symCount = symTotal+2;
for (j = 0; j < groupCount; j++) {
- unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
+ unsigned char length[MAX_SYMBOLS];
+ unsigned short temp[MAX_HUFCODE_BITS+1];
int minLen, maxLen, pp;
/* Read Huffman code lengths for each symbol. They're
stored in a way similar to mtf; record a starting
--
2.45.2

Next message: Moger, Babu: "Re: [PATCH v5 20/20] x86/resctrl: Introduce interface to modify assignment states of the groups"
Previous message: Jassi Brar: "Re: [PATCH 2/2] mailbox: mtk-cmdq: Move pm_runimte_get and put to mbox_chan_ops API"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]