This is an automated email from the ASF dual-hosted git repository.
bodewig pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/commons-compress.git
commit 70835c96f0adf6cf000df1892b21681a129d707a
Author: Stefan Bodewig <bode...@apache.org>
AuthorDate: Tue Jan 21 13:12:34 2020 +0100
still check nSelectors in not negative
see #91
---
.../compressors/bzip2/BZip2CompressorInputStream.java | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git
a/src/main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorInputStream.java
b/src/main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorInputStream.java
index 116772c..d6e1500 100644
---
a/src/main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorInputStream.java
+++
b/src/main/java/org/apache/commons/compress/compressors/bzip2/BZip2CompressorInputStream.java
@@ -494,7 +494,10 @@ public class BZip2CompressorInputStream extends
CompressorInputStream
final int alphaSize = this.nInUse + 2;
/* Now the selectors */
final int nGroups = bsR(bin, 3);
- int nSelectors = bsR(bin, 15);
+ final int selectors = bsR(bin, 15);
+ if (selectors < 0) {
+ throw new IOException("Corrupted input, nSelectors value
negative");
+ }
checkBounds(alphaSize, MAX_ALPHA_SIZE + 1, "alphaSize");
checkBounds(nGroups, N_GROUPS + 1, "nGroups");
@@ -502,17 +505,16 @@ public class BZip2CompressorInputStream extends
CompressorInputStream
// See
https://gnu.wildebeest.org/blog/mjw/2019/08/02/bzip2-and-the-cve-that-wasnt/
// and https://sourceware.org/ml/bzip2-devel/2019-q3/msg00007.html
- for (int i = 0; i < nSelectors; i++) {
+ for (int i = 0; i < selectors; i++) {
int j = 0;
while (bsGetBit(bin)) {
j++;
}
- if (i < MAX_SELECTORS)
+ if (i < MAX_SELECTORS) {
selectorMtf[i] = (byte) j;
+ }
}
- if (nSelectors > MAX_SELECTORS) {
- nSelectors = MAX_SELECTORS;
- }
+ final int nSelectors = selectors > MAX_SELECTORS ? MAX_SELECTORS :
selectors;
/* Undo the MTF values for the selectors. */
for (int v = nGroups; --v >= 0;) {
