Author: cperciva
Date: Mon Sep 20 14:58:08 2010
New Revision: 212901
URL: http://svn.freebsd.org/changeset/base/212901
Log:
Fix an integer overflow in RLE length parsing when decompressing
corrupt bzip2 data.
Approved by: so (cperciva)
Security: FreeBSD-SA-10:08.bzip2
Modified:
releng/6.4/UPDATING
releng/6.4/contrib/bzip2/decompress.c
releng/6.4/sys/conf/newvers.sh
releng/7.1/UPDATING
releng/7.1/contrib/bzip2/decompress.c
releng/7.1/sys/conf/newvers.sh
releng/7.3/UPDATING
releng/7.3/contrib/bzip2/decompress.c
releng/7.3/sys/conf/newvers.sh
releng/8.0/UPDATING
releng/8.0/contrib/bzip2/decompress.c
releng/8.0/sys/conf/newvers.sh
releng/8.1/UPDATING
releng/8.1/contrib/bzip2/decompress.c
releng/8.1/sys/conf/newvers.sh
Changes in other areas also in this revision:
Modified:
head/contrib/bzip2/decompress.c
stable/6/contrib/bzip2/decompress.c
stable/7/contrib/bzip2/decompress.c
stable/8/contrib/bzip2/decompress.c
Modified: releng/6.4/UPDATING
==============================================================================
--- releng/6.4/UPDATING Mon Sep 20 13:48:07 2010 (r212900)
+++ releng/6.4/UPDATING Mon Sep 20 14:58:08 2010 (r212901)
@@ -8,6 +8,10 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100920: p11 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100526: p10 FreeBSD-SA-10:05.opie
Fix a one-NUL-byte buffer overflow in libopie. [10:05]
Modified: releng/6.4/contrib/bzip2/decompress.c
==============================================================================
--- releng/6.4/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/6.4/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010
(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
Modified: releng/6.4/sys/conf/newvers.sh
==============================================================================
--- releng/6.4/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/6.4/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010
(r212901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="6.4"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.1/UPDATING
==============================================================================
--- releng/7.1/UPDATING Mon Sep 20 13:48:07 2010 (r212900)
+++ releng/7.1/UPDATING Mon Sep 20 14:58:08 2010 (r212901)
@@ -8,6 +8,10 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100920: p14 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100713: p13 FreeBSD-SA-10:07.mbuf
Correctly copy the M_RDONLY flag when duplicating a reference
to an mbuf external buffer.
Modified: releng/7.1/contrib/bzip2/decompress.c
==============================================================================
--- releng/7.1/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/7.1/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010
(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
Modified: releng/7.1/sys/conf/newvers.sh
==============================================================================
--- releng/7.1/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/7.1/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010
(r212901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.1"
-BRANCH="RELEASE-p13"
+BRANCH="RELEASE-p14"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/7.3/UPDATING
==============================================================================
--- releng/7.3/UPDATING Mon Sep 20 13:48:07 2010 (r212900)
+++ releng/7.3/UPDATING Mon Sep 20 14:58:08 2010 (r212901)
@@ -8,6 +8,10 @@ Items affecting the ports and packages s
/usr/ports/UPDATING. Please read that file before running
portupgrade.
+20100920: p3 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100713: p2 FreeBSD-SA-10:07.mbuf
Correctly copy the M_RDONLY flag when duplicating a reference
to an mbuf external buffer.
Modified: releng/7.3/contrib/bzip2/decompress.c
==============================================================================
--- releng/7.3/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/7.3/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010
(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
Modified: releng/7.3/sys/conf/newvers.sh
==============================================================================
--- releng/7.3/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/7.3/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010
(r212901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="7.3"
-BRANCH="RELEASE-p2"
+BRANCH="RELEASE-p3"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.0/UPDATING
==============================================================================
--- releng/8.0/UPDATING Mon Sep 20 13:48:07 2010 (r212900)
+++ releng/8.0/UPDATING Mon Sep 20 14:58:08 2010 (r212901)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20100920: p5 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100713: p4 FreeBSD-SA-10:07.mbuf
Correctly copy the M_RDONLY flag when duplicating a reference
to an mbuf external buffer.
Modified: releng/8.0/contrib/bzip2/decompress.c
==============================================================================
--- releng/8.0/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/8.0/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010
(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
Modified: releng/8.0/sys/conf/newvers.sh
==============================================================================
--- releng/8.0/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/8.0/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010
(r212901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.0"
-BRANCH="RELEASE-p4"
+BRANCH="RELEASE-p5"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
Modified: releng/8.1/UPDATING
==============================================================================
--- releng/8.1/UPDATING Mon Sep 20 13:48:07 2010 (r212900)
+++ releng/8.1/UPDATING Mon Sep 20 14:58:08 2010 (r212901)
@@ -15,6 +15,10 @@ NOTE TO PEOPLE WHO THINK THAT FreeBSD 8.
debugging tools present in HEAD were left in place because
sun4v support still needs work to become production ready.
+20100920: p1 FreeBSD-SA-10:08.bzip2
+ Fix an integer overflow in RLE length parsing when decompressing
+ corrupt bzip2 data.
+
20100720:
8.1-RELEASE.
Modified: releng/8.1/contrib/bzip2/decompress.c
==============================================================================
--- releng/8.1/contrib/bzip2/decompress.c Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/8.1/contrib/bzip2/decompress.c Mon Sep 20 14:58:08 2010
(r212901)
@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
es = -1;
N = 1;
do {
+ /* Check that N doesn't get too big, so that es doesn't
+ go negative. The maximum value that can be
+ RUNA/RUNB encoded is equal to the block size (post
+ the initial RLE), viz, 900k, so bounding N at 2
+ million should guard against overflow without
+ rejecting any legitimate inputs. */
+ if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
if (nextSym == BZ_RUNB) es = es + (1+1) * N;
N = N * 2;
Modified: releng/8.1/sys/conf/newvers.sh
==============================================================================
--- releng/8.1/sys/conf/newvers.sh Mon Sep 20 13:48:07 2010
(r212900)
+++ releng/8.1/sys/conf/newvers.sh Mon Sep 20 14:58:08 2010
(r212901)
@@ -32,7 +32,7 @@
TYPE="FreeBSD"
REVISION="8.1"
-BRANCH="RELEASE"
+BRANCH="RELEASE-p1"
if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
BRANCH=${BRANCH_OVERRIDE}
fi
_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "[email protected]"
