43 lines
914 B
Diff
43 lines
914 B
Diff
Description: Fix out-of-bounds read
|
|
We need to handle possible overflows, by using an int instead of a short,
|
|
and terminating if after computing the index it is out-of-bounds.
|
|
Author: Guillem Jover <guillem@debian.org>
|
|
Origin: vendor
|
|
Bug-Debian: https://bugs.debian.org/783948
|
|
Forwarded: no
|
|
Last-Update: 2015-07-01
|
|
|
|
---
|
|
|
|
--- arj-3.10.22.orig/decode.c
|
|
+++ arj-3.10.22/decode.c
|
|
@@ -416,10 +416,10 @@ static void NEAR decode_end()
|
|
|
|
void decode(int action)
|
|
{
|
|
- short i;
|
|
- short r;
|
|
- short c;
|
|
- static short j;
|
|
+ int i;
|
|
+ int r;
|
|
+ int c;
|
|
+ static int j;
|
|
|
|
#if SFX_LEVEL>=ARJSFXV
|
|
if(!setjmp(decode_proc))
|
|
@@ -450,9 +450,12 @@ void decode(int action)
|
|
{
|
|
j=c-(UCHAR_MAX+1-THRESHOLD);
|
|
count-=(unsigned long)j;
|
|
- i=r-decode_p()-1;
|
|
+ int P = decode_p();
|
|
+ i=r-P-1;
|
|
if(i<0)
|
|
i+=DICSIZ;
|
|
+ if(i<0)
|
|
+ goto termination;
|
|
if(r>i&&r<DICSIZ-MAXMATCH-1)
|
|
{
|
|
while(--j>=0)
|