byte overflow in decompress_unzip.c
Anand Avati
avati at hardcodecafe.com
Thu Sep 1 04:32:33 UTC 2005
bug #441 was filed by me for the same as the FAQ section encouraged me to. looks like i dont have the rights to move the bug to 'resolved' state.. could you please update that as well?
regards,
avati
On Wed, Aug 31, 2005 at 05:04:21PM -0500, Rob Landley wrote:
> On Wednesday 31 August 2005 07:30, Anand Avati wrote:
> > hi,
> > in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c
> > just after calling inflate_unzip() there is this line:
> >
> > count = bytebuffer_size - bytebuffer_offset;
> > if (count < 8) {
> > ...
> >
> > but count is a char (1 byte) i hit a situation where bytebuffer_size -
> > bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
>
> Yeah, classic integer overflow bug. An extra 3 bytes on the stack isn't going
> to kill us. :)
>
> Applied.
>
> Rob
>
---end quoted text---
More information about the busybox
mailing list