2024-11-15 13:56:14 +00:00
|
|
|
From 5c93a2ef05285f3e8946aab185c0b44b5abe999f Mon Sep 17 00:00:00 2001
|
|
|
|
From: Andrew Lukoshko <alukoshko@almalinux.org>
|
|
|
|
Date: Fri, 15 Nov 2024 13:54:11 +0000
|
|
|
|
Subject: [PATCH] Accept as many selectors as the file format allows
|
2024-11-15 13:29:49 +00:00
|
|
|
|
|
|
|
But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS.
|
|
|
|
|
|
|
|
The theoretical maximum number of selectors depends on the maximum
|
|
|
|
blocksize (900000 bytes) and the number of symbols (50) that can be
|
|
|
|
encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002.
|
|
|
|
|
|
|
|
But the bzip2 file format allows the number of selectors to be encoded
|
|
|
|
with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in
|
|
|
|
14 bits). So the file format maximum is 32767 selectors.
|
|
|
|
|
|
|
|
Some bzip2 encoders might actually have written out more selectors
|
|
|
|
than the theoretical maximum because they rounded up the number of
|
|
|
|
selectors to some convenient factor of 8.
|
|
|
|
|
|
|
|
The extra 14766 selectors can never be validly used by the decompression
|
|
|
|
algorithm. So we can read them, but then discard them.
|
|
|
|
|
|
|
|
This is effectively what was done (by accident) before we added a
|
|
|
|
check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate
|
|
|
|
CVE-2019-12900.
|
|
|
|
|
|
|
|
The extra selectors were written out after the array inside the
|
|
|
|
EState struct. But the struct has extra space allocated after the
|
|
|
|
selector arrays of 18060 bytes (which is larger than 14766).
|
|
|
|
All of which will be initialized later (so the overwrite of that
|
|
|
|
space with extra selector values would have been harmless).
|
2024-11-15 13:56:14 +00:00
|
|
|
|
|
|
|
Backport of upstream commit b07b105d1b66e32760095e3602261738443b9e13
|
2024-11-15 13:29:49 +00:00
|
|
|
---
|
|
|
|
compress.c | 2 +-
|
|
|
|
decompress.c | 10 ++++++++--
|
|
|
|
2 files changed, 9 insertions(+), 3 deletions(-)
|
|
|
|
|
|
|
|
diff --git a/compress.c b/compress.c
|
2024-11-15 13:56:14 +00:00
|
|
|
index caf7696..19b662b 100644
|
2024-11-15 13:29:49 +00:00
|
|
|
--- a/compress.c
|
|
|
|
+++ b/compress.c
|
|
|
|
@@ -454,7 +454,7 @@ void sendMTFValues ( EState* s )
|
|
|
|
|
|
|
|
AssertH( nGroups < 8, 3002 );
|
|
|
|
AssertH( nSelectors < 32768 &&
|
|
|
|
- nSelectors <= (2 + (900000 / BZ_G_SIZE)),
|
|
|
|
+ nSelectors <= BZ_MAX_SELECTORS,
|
|
|
|
3003 );
|
|
|
|
|
|
|
|
|
|
|
|
diff --git a/decompress.c b/decompress.c
|
2024-11-15 13:56:14 +00:00
|
|
|
index b6e0a29..78060c9 100644
|
2024-11-15 13:29:49 +00:00
|
|
|
--- a/decompress.c
|
|
|
|
+++ b/decompress.c
|
|
|
|
@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s )
|
|
|
|
GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
|
2024-11-15 13:56:14 +00:00
|
|
|
if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
|
2024-11-15 13:29:49 +00:00
|
|
|
GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
|
|
|
|
- if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
|
|
|
|
+ if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
|
|
|
|
for (i = 0; i < nSelectors; i++) {
|
|
|
|
j = 0;
|
|
|
|
while (True) {
|
|
|
|
@@ -296,8 +296,14 @@ Int32 BZ2_decompress ( DState* s )
|
|
|
|
j++;
|
|
|
|
if (j >= nGroups) RETURN(BZ_DATA_ERROR);
|
|
|
|
}
|
|
|
|
- s->selectorMtf[i] = j;
|
|
|
|
+ /* Having more than BZ_MAX_SELECTORS doesn't make much sense
|
|
|
|
+ since they will never be used, but some implementations might
|
|
|
|
+ "round up" the number of selectors, so just ignore those. */
|
|
|
|
+ if (i < BZ_MAX_SELECTORS)
|
|
|
|
+ s->selectorMtf[i] = j;
|
|
|
|
}
|
|
|
|
+ if (nSelectors > BZ_MAX_SELECTORS)
|
|
|
|
+ nSelectors = BZ_MAX_SELECTORS;
|
|
|
|
|
|
|
|
/*--- Undo the MTF values for the selectors. ---*/
|
|
|
|
{
|
|
|
|
--
|
|
|
|
2.43.5
|
|
|
|
|