byte overflow in decompress_unzip.c

Anand Avati avati at
Wed Aug 31 12:30:47 UTC 2005

in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c 
just after calling inflate_unzip() there is this line:

count = bytebuffer_size - bytebuffer_offset;
if (count < 8) {

but count is a char (1 byte) i hit a situation where bytebuffer_size -
bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
is a bb_xread_all in the 'if' condition which tries to read from in-fd
which has already eof'd)

count being 1 byte interpreted 2305 as 7 and wrongly entered the 'if'

as far as functionality is concerned this happens _after_ the actual
un-gzip and only the trailers are affected (which tar happily neglects
as it knows its boundry limit).. but the code is bad and results in
wrong exit status, which affected my script..

have attached a small diff which changes the char to int.. the fix most
likely is fixing the symptom and not the root cause, or maybe the root
cause itself.


ps: i'm trying to re-create a new tgz which can show the 'short read'
thingy as i cant give the tgz which i came across due to copyright

Anand V. Avati
finger avati at
-------------- next part --------------
diff -pruN busybox/archival/libunarchive/decompress_unzip.c busybox-fix/archival/libunarchive/decompress_unzip.c
--- busybox/archival/libunarchive/decompress_unzip.c	2005-08-31 14:53:05.000000000 +0530
+++ busybox-fix/archival/libunarchive/decompress_unzip.c	2005-08-31 15:03:00.000000000 +0530
@@ -956,7 +956,7 @@ extern int inflate_unzip(int in, int out
 extern int inflate_gunzip(int in, int out)
 	unsigned int stored_crc = 0;
-	unsigned char count;
+	unsigned int count;
 	inflate_unzip(in, out);

More information about the busybox mailing list