[prev in list] [next in list] [prev in thread] [next in thread]
List: busybox
Subject: Re: byte overflow in decompress_unzip.c
From: Rob Landley <rob () landley ! net>
Date: 2005-08-31 22:04:21
Message-ID: 200508311704.22005.rob () landley ! net
[Download RAW message or body]
On Wednesday 31 August 2005 07:30, Anand Avati wrote:
> hi,
> in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c
> just after calling inflate_unzip() there is this line:
>
> count = bytebuffer_size - bytebuffer_offset;
> if (count < 8) {
> ...
>
> but count is a char (1 byte) i hit a situation where bytebuffer_size -
> bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
Yeah, classic integer overflow bug. An extra 3 bytes on the stack isn't going
to kill us. :)
Applied.
Rob
_______________________________________________
busybox mailing list
busybox@busybox.net
http://busybox.net/cgi-bin/mailman/listinfo/busybox
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic