From 67b090f860e466b12a65bdb26b3916cad1bfc497 Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Mon, 4 Nov 2024 16:01:39 +0100 Subject: [PATCH] Fix out of bound access in BZ2_decompress Resolves: RHEL-65198 --- bzip2-out_of_bounds.patch | 32 ++++++++++++++++++++++++++++++++ bzip2.spec | 8 +++++++- 2 files changed, 39 insertions(+), 1 deletion(-) create mode 100644 bzip2-out_of_bounds.patch diff --git a/bzip2-out_of_bounds.patch b/bzip2-out_of_bounds.patch new file mode 100644 index 0000000..f7563a2 --- /dev/null +++ b/bzip2-out_of_bounds.patch @@ -0,0 +1,32 @@ +From 74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc Mon Sep 17 00:00:00 2001 +From: Albert Astals Cid +Date: Tue, 28 May 2019 19:35:18 +0200 +Subject: [PATCH] Make sure nSelectors is not out of range + +nSelectors is used in a loop from 0 to nSelectors to access selectorMtf +which is + UChar selectorMtf[BZ_MAX_SELECTORS]; +so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory +access + +Fixes out of bounds access discovered while fuzzying karchive +--- + decompress.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/decompress.c b/decompress.c +index ab6a624..f3db91d 100644 +--- a/decompress.c ++++ b/decompress.c +@@ -287,7 +287,7 @@ Int32 BZ2_decompress ( DState* s ) + GET_BITS(BZ_X_SELECTOR_1, nGroups, 3); + if (nGroups < 2 || nGroups > BZ_N_GROUPS) RETURN(BZ_DATA_ERROR); + GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15); +- if (nSelectors < 1) RETURN(BZ_DATA_ERROR); ++ if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR); + for (i = 0; i < nSelectors; i++) { + j = 0; + while (True) { +-- +GitLab + diff --git a/bzip2.spec b/bzip2.spec index bb7b12f..c653372 100644 --- a/bzip2.spec +++ b/bzip2.spec @@ -3,7 +3,7 @@ Summary: A file compression utility Name: bzip2 Version: 1.0.8 -Release: 8%{?dist} +Release: 9%{?dist} License: BSD URL: http://www.bzip.org/ #Source0: http://www.bzip.org/%{version}/%{name}-%{version}.tar.gz @@ -14,6 +14,7 @@ Patch0: bzip2-saneso.patch Patch1: bzip2-cflags.patch Patch2: bzip2-ldflags.patch Patch3: man_gzipdiff.patch +Patch4: bzip2-out_of_bounds.patch BuildRequires: gcc BuildRequires: make @@ -58,6 +59,7 @@ Static libraries for applications using the bzip2 compression format. %patch1 -p1 %patch2 -p1 %patch3 -p2 +%patch4 -p1 cp -a %{SOURCE1} . sed -i "s|^libdir=|libdir=%{_libdir}|" bzip2.pc @@ -136,6 +138,10 @@ ln -s bzgrep.1 $RPM_BUILD_ROOT%{_mandir}/man1/bzfgrep.1 %{_libdir}/pkgconfig/bzip2.pc %changelog +* Mon Oct 04 2024 Jakub Martisko - 1.0.8-9 +- Fix out of boinds access in BZ2_decompress +Resolves: RHEL-65198 + * Mon Aug 09 2021 Mohan Boddu - 1.0.8-8 - Rebuilt for IMA sigs, glibc 2.34, aarch64 flags Related: rhbz#1991688