Synopsis: Integer overflow in libbz2 decompression code
NetBSD versions: 5.0, 4.0.1, 4.0
Thanks to: Mikolaj Izdebski, Christos Zoulas
Reported in NetBSD Security Advisory: NetBSD-SA2010-007

Index: dist/bzip2/decompress.c
===================================================================
RCS file: /cvsroot/src/dist/bzip2/decompress.c,v
diff -u
--- dist/bzip2/decompress.c	18 Mar 2008 14:41:45 -0000	1.1.1.3
+++ dist/bzip2/decompress.c	22 Sep 2010 22:52:03 -0000	1.1.1.3.12.1
@@ -381,6 +381,13 @@
             es = -1;
             N = 1;
             do {
+               /* Check that N doesn't get too big, so that es doesn't
+                  go negative.  The maximum value that can be
+                  RUNA/RUNB encoded is equal to the block size (post
+                  the initial RLE), viz, 900k, so bounding N at 2
+                  million should guard against overflow without
+                  rejecting any legitimate inputs. */
+               if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR);
                if (nextSym == BZ_RUNA) es = es + (0+1) * N; else
                if (nextSym == BZ_RUNB) es = es + (1+1) * N;
                N = N * 2;