-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Synopsis: Integer overflow in libbz2 decompression code
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mikolaj Izdebski, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2010-007

Index: dist/bzip2/decompress.c
===================================================================
RCS file: /cvsroot/src/dist/bzip2/decompress.c,v
diff -u
- --- dist/bzip2/decompress.c	18 Mar 2008 14:41:45 -0000	1.1.1.3
+++ dist/bzip2/decompress.c	22 Sep 2010 22:52:03 -0000	1.1.1.3.12.1
@@ -381,6 +381,13 @@
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (NetBSD)

iQIcBAEBAgAGBQJMriavAAoJEAZJc6xMSnBuLr4P/jwS6I2Z1hGTHN7kNayS1+Mu
wSmYW/RRoKO35xByp8tHOa5biYy0i6ZSxNsoQdXsa0SK8y1xBPgqLVgMQcglgNrV
5Bzhh97OoLCIYiSLymumpozxHLUbNZFoxWMdv6JJIS/reyhoI9m3pcn6nhrHbT4W
FPg3RCX/PKe+Ng+9DuHHqs2+dBqP7n4oeVqgdxkiQOlsI29DZLtDj3jyS2XKNWhK
v2ZJi9QNsxL43PO2H7mlKluMbCQJBWLpDfvrGoI/d9iXM2CBgMLeapb0g8GWJgbC
/ToKKCJuO+icHU17rjqnFq/r98arWXTfFekuT+058e0dLx5eAq1aJ/lCZSlTnRVc
vTCwMVzqMuJl4eVtqtGUj9NZnngLX8X5+7KU7ryxJA8z5GoSaLxoKAA42SB4MX0k
72eDCXqH0PeGfN3nviZtKwTXP9b3jOpr5mnVT5U9TUzyGur+dc4owylOXj0fLrZP
4ITKwjbBl96G/SSXoR2CMQ96Sm1su9Emny/5aQY21VCgUCpu1EanbiWbiftXc/XX
QgB8NlicHmJYtYMsCsHs2TQ3fyABBi5XYoxf/ngZoT1mhe7+tFfC3DP7AK2W5ujE
udMCMb14CgU0YWQV6LmL7KNBP7kE4IIF+m4pRKg2myIfQAxRJuPs1ecdvzgSLOZT
k3s/sOIt7WDh5FIBmrla
=x0tG
-----END PGP SIGNATURE-----