byte overflow in decompress_unzip.c
Rob Landley
rob at landley.net
Wed Aug 31 22:04:21 UTC 2005
On Wednesday 31 August 2005 07:30, Anand Avati wrote:
> hi,
> in function inflate_gunzip() in archival/libunarchive/decompress_unzip.c
> just after calling inflate_unzip() there is this line:
>
> count = bytebuffer_size - bytebuffer_offset;
> if (count < 8) {
> ...
>
> but count is a char (1 byte) i hit a situation where bytebuffer_size -
> bytebuffer_offset was 2305 and gzip was complaining 'Short read' (there
Yeah, classic integer overflow bug. An extra 3 bytes on the stack isn't going
to kill us. :)
Applied.
Rob
More information about the busybox
mailing list