Description: Fix out-of-bounds read We need to handle possible overflows, by using an int instead of a short, and terminating if after computing the index it is out-of-bounds. Author: Guillem Jover Origin: vendor Bug-Debian: https://bugs.debian.org/783948 Forwarded: no Last-Update: 2015-07-01 --- --- arj-3.10.22.orig/decode.c +++ arj-3.10.22/decode.c @@ -416,10 +416,10 @@ static void NEAR decode_end() void decode(int action) { - short i; - short r; - short c; - static short j; + int i; + int r; + int c; + static int j; #if SFX_LEVEL>=ARJSFXV if(!setjmp(decode_proc)) @@ -450,9 +450,12 @@ void decode(int action) { j=c-(UCHAR_MAX+1-THRESHOLD); count-=(unsigned long)j; - i=r-decode_p()-1; + int P = decode_p(); + i=r-P-1; if(i<0) i+=DICSIZ; + if(i<0) + goto termination; if(r>i&&r=0)