Fix an integer overflow in RLE length parsing when decompressing

corrupt bzip2 data.

Approved by:	so (cperciva)
Security:	FreeBSD-SA-10:08.bzip2

UPDATING

@@ -8,6 +8,10 @@ Items affecting the ports and packages system can be found in
 /usr/ports/UPDATING.  Please read that file before running
 portupgrade.
 
+20100920:	p11	FreeBSD-SA-10:08.bzip2
+	Fix an integer overflow in RLE length parsing when decompressing
+	corrupt bzip2 data.
+
 20100526:	p10	FreeBSD-SA-10:05.opie
 	Fix a one-NUL-byte buffer overflow in libopie. [10:05]
 

contrib/bzip2/decompress.c

@@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s )
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;

sys/conf/newvers.sh

@@ -32,7 +32,7 @@
 
 TYPE="FreeBSD"
 REVISION="6.4"
-BRANCH="RELEASE-p10"
+BRANCH="RELEASE-p11"
 if [ "X${BRANCH_OVERRIDE}" != "X" ]; then
 	BRANCH=${BRANCH_OVERRIDE}
 fi