[BusyBox 0000411]: byte overflow in decompress_unzip.c

bugs at busybox.net bugs at busybox.net
Wed Aug 31 17:40:08 UTC 2005 

The following issue has been SUBMITTED. 
====================================================================== 
http://busybox.net/bugs/view.php?id=411 
====================================================================== 
Reported By:                avati
Assigned To:                BusyBox
====================================================================== 
Project:                    BusyBox
Issue ID:                   411
Category:                   Other
Reproducibility:            always
Severity:                   minor
Priority:                   normal
Status:                     assigned
====================================================================== 
Date Submitted:             08-31-2005 10:40 PDT
Last Modified:              08-31-2005 10:40 PDT
====================================================================== 
Summary:                    byte overflow in decompress_unzip.c
Description: 
in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c
just after calling inflate_unzip() there is this line:

count = bytebuffer_size - bytebuffer_offset;
if (count < 8) {
 ...

but count is a char (1 byte) i hit a situation where bytebuffer_size -
bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
is a bb_xread_all in the 'if' condition which tries to read from in-fd
which has already eof'd)

count being 1 byte interpreted 2305 as 7 and wrongly entered the 'if'

as far as functionality is concerned this happens _after_ the actual
un-gzip and only the trailers are affected (which tar happily neglects
as it knows its boundry limit).. but the code is bad and results in
wrong exit status, which affected my script..

have attached a small diff which changes the char to int.. the fix most
likely is fixing the symptom and not the root cause, or maybe the root
cause itself.


====================================================================== 

Issue History 
Date Modified   Username       Field                    Change               
====================================================================== 
08-31-05 10:40  avati          New Issue                                    
08-31-05 10:40  avati          Status                   new => assigned     
08-31-05 10:40  avati          Assigned To               => BusyBox         
08-31-05 10:40  avati          File Added: decompress_unzip.diff                
   
======================================================================

More information about the busybox-cvs mailing list