Bug 12916

Summary: out-of-bounds write in get_next_block()
Product: Busybox Reporter: Mike Broomfield <mike-broomfield>
Component: OtherAssignee: unassigned
Status: NEW ---    
Severity: critical CC: busybox-cvs
Priority: P5    
Version: 1.31.x   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Host: Target:
Build:

Description Mike Broomfield 2020-05-20 07:20:59 UTC 
get_next_block in decompress_bunzip2.c has an out-of-bounds write when there are many selectors.

A very similar bug was present in bzip2 through 1.0.6.  

You can see the commit that fixed the bzip2 vulnerability at https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc#951eb5324dc64ed8c9225bfcdcb72ee7a3932918