decompress_bunzip2: fix rare decompression failure

commit bf6acd5d16 upstream.

The decompression code parses a huffman tree and counts the number of
symbols for a given bit length.  In rare cases, there may be >= 256
symbols with a given bit length, causing the unsigned char to overflow.
This causes a decompression failure later when the code tries and fails to
find the bit length for a given symbol.

Since the maximum number of symbols is 258, use unsigned short instead.

Link: https://lkml.kernel.org/r/20240717162016.1514077-1-ross.lagerwall@citrix.com
Fixes: bc22c17e12 ("bzip2/lzma: library support for gzip, bzip2 and lzma decompression")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Cc: Alain Knaff <alain@knaff.lu>
Cc: "H. Peter Anvin" <hpa@zytor.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This commit is contained in:
Ross Lagerwall 2024-07-17 17:20:16 +01:00 committed by Greg Kroah-Hartman
parent 8d4fc803ff
commit 362ded08cc

View File

@ -232,7 +232,8 @@ static int INIT get_next_block(struct bunzip_data *bd)
RUNB) */ RUNB) */
symCount = symTotal+2; symCount = symTotal+2;
for (j = 0; j < groupCount; j++) { for (j = 0; j < groupCount; j++) {
unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1]; unsigned char length[MAX_SYMBOLS];
unsigned short temp[MAX_HUFCODE_BITS+1];
int minLen, maxLen, pp; int minLen, maxLen, pp;
/* Read Huffman code lengths for each symbol. They're /* Read Huffman code lengths for each symbol. They're
stored in a way similar to mtf; record a starting stored in a way similar to mtf; record a starting