12916 – out-of-bounds write in get_next_block()

Bug 12916 - out-of-bounds write in get_next_block()

Summary: out-of-bounds write in get_next_block()

Status:	NEW

Alias:	None

Product:	Busybox
Classification:	Unclassified
Component:	Other (show other bugs)
Version:	1.31.x
Hardware:	All Linux

Importance:	P5 critical
Target Milestone:	---
Assignee:	unassigned

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-05-20 07:20 UTC by Mike Broomfield
Modified:	2020-05-20 07:20 UTC (History)
CC List:	1 user (show)

See Also:
Host:
Target:
Build:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Mike Broomfield 2020-05-20 07:20:59 UTC

get_next_block in decompress_bunzip2.c has an out-of-bounds write when there are many selectors.

A very similar bug was present in bzip2 through 1.0.6.  

You can see the commit that fixed the bzip2 vulnerability at https://gitlab.com/federicomenaquintero/bzip2/commit/74de1e2e6ffc9d51ef9824db71a8ffee5962cdbc#951eb5324dc64ed8c9225bfcdcb72ee7a3932918

Format For Printing
- XML
- Clone This Bug
- Top of page