bybrooklyn/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-04-18 06:44:00 -04:00
Code Issues Packages Projects Releases Wiki Activity

lib: decompress_bunzip2: fix 32-bit shift undefined behavior

Browse Source 
Fix undefined behavior caused by shifting a 32-bit integer by 32 bits
during decompression.  This prevents potential kernel decompression
failures or corruption when parsing malicious or malformed bzip2 archives.

Link: https://lkml.kernel.org/r/20260308165012.2872633-1-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
This commit is contained in:
Josh Law
2026-03-08 16:50:12 +00:00
committed by Andrew Morton
parent b02da26a99
commit d4dba3b9c0
1 changed files with 2 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lib/decompress_bunzip2.c
View File

@@ -135,7 +135,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
} }
/* Avoid 32-bit overflow (dump bit buffer to top of output) */ /* Avoid 32-bit overflow (dump bit buffer to top of output) */
if (bd->inbufBitCount >= 24) { if (bd->inbufBitCount >= 24) {
bits = bd->inbufBits&((1 << bd->inbufBitCount)-1); bits = bd->inbufBits & ((1ULL << bd->inbufBitCount) - 1);
bits_wanted -= bd->inbufBitCount; bits_wanted -= bd->inbufBitCount;
bits <<= bits_wanted; bits <<= bits_wanted;
bd->inbufBitCount = 0; bd->inbufBitCount = 0;
@@ -146,7 +146,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
} }
/* Calculate result */ /* Calculate result */
bd->inbufBitCount -= bits_wanted; bd->inbufBitCount -= bits_wanted;
bits |= (bd->inbufBits >> bd->inbufBitCount)&((1 << bits_wanted)-1); bits |= (bd->inbufBits >> bd->inbufBitCount) & ((1ULL << bits_wanted) - 1);
return bits; return bits;
} }