kmx git

Commit	Date	Message
6a8690fc	2019-07-13T17:17:58	Prepare for 1.0.8 release.
b07b105d	2019-07-03T01:28:11	Accept as many selectors as the file format allows. But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. The theoretical maximum number of selectors depends on the maximum blocksize (900000 bytes) and the number of symbols (50) that can be encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. But the bzip2 file format allows the number of selectors to be encoded with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in 14 bits). So the file format maximum is 32767 selectors. Some bzip2 encoders might actually have written out more selectors than the theoretical maximum because they rounded up the number of selectors to some convenient factor of 8. The extra 14766 selectors can never be validly used by the decompression algorithm. So we can read them, but then discard them. This is effectively what was done (by accident) before we added a check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate CVE-2019-12900. The extra selectors were written out after the array inside the EState struct. But the struct has extra space allocated after the selector arrays of 18060 bytes (which is larger than 14766). All of which will be initialized later (so the overwrite of that space with extra selector values would have been harmless).
f319b98a	2019-06-27T20:10:07	Prepare for 1.0.7 release.
ff986850	2019-05-29T17:14:27	Change a magic number (6) for a constant (BZ_N_GROUPS). decompress.c (BZ2_decompress): Check nGroups against BZ_N_GROUPS.
7ed62bfb	2019-05-28T19:35:18	Make sure nSelectors is not out of range nSelectors is used in a loop from 0 to nSelectors to access selectorMtf which is UChar selectorMtf[BZ_MAX_SELECTORS]; so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory access Fixes out of bounds access discovered while fuzzying karchive This was reported as CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.
5b923861	2019-03-30T22:56:16	Change Julian's email address to jseward@acm.org
962d6061	2010-09-06T22:13:13	bzip2-1.0.6
a1d78c55	2007-12-10T22:13:13	bzip2-1.0.5
f10a3353	2006-12-20T22:13:13	bzip2-1.0.4
4d540bfc	2005-02-15T22:13:13	bzip2-1.0.3
099d8442	2001-12-30T22:13:13	bzip2-1.0.2
795b859e	2000-06-24T22:13:13	bzip2-1.0.1
f93cd82a	1999-09-04T22:13:13	bzip2-0.9.5d
977101ad	1998-08-23T22:13:13	bzip2-0.9.0c

6a8690fc

2019-07-13T17:17:58

Prepare for 1.0.8 release.

b07b105d

2019-07-03T01:28:11

Accept as many selectors as the file format allows. But ignore any larger than the theoretical maximum, BZ_MAX_SELECTORS. The theoretical maximum number of selectors depends on the maximum blocksize (900000 bytes) and the number of symbols (50) that can be encoded with a different Huffman tree. BZ_MAX_SELECTORS is 18002. But the bzip2 file format allows the number of selectors to be encoded with 15 bits (because 18002 isn't a factor of 2 and doesn't fit in 14 bits). So the file format maximum is 32767 selectors. Some bzip2 encoders might actually have written out more selectors than the theoretical maximum because they rounded up the number of selectors to some convenient factor of 8. The extra 14766 selectors can never be validly used by the decompression algorithm. So we can read them, but then discard them. This is effectively what was done (by accident) before we added a check for nSelectors to be at most BZ_MAX_SELECTORS to mitigate CVE-2019-12900. The extra selectors were written out after the array inside the EState struct. But the struct has extra space allocated after the selector arrays of 18060 bytes (which is larger than 14766). All of which will be initialized later (so the overwrite of that space with extra selector values would have been harmless).

f319b98a

2019-06-27T20:10:07

Prepare for 1.0.7 release.

ff986850

2019-05-29T17:14:27

Change a magic number (6) for a constant (BZ_N_GROUPS). decompress.c (BZ2_decompress): Check nGroups against BZ_N_GROUPS.

7ed62bfb

2019-05-28T19:35:18

Make sure nSelectors is not out of range nSelectors is used in a loop from 0 to nSelectors to access selectorMtf which is UChar selectorMtf[BZ_MAX_SELECTORS]; so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory access Fixes out of bounds access discovered while fuzzying karchive This was reported as CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

5b923861

2019-03-30T22:56:16

Change Julian's email address to jseward@acm.org

962d6061

2010-09-06T22:13:13

bzip2-1.0.6

a1d78c55

2007-12-10T22:13:13

bzip2-1.0.5

f10a3353

2006-12-20T22:13:13

bzip2-1.0.4

4d540bfc

2005-02-15T22:13:13

bzip2-1.0.3

099d8442

2001-12-30T22:13:13

bzip2-1.0.2

795b859e

2000-06-24T22:13:13

bzip2-1.0.1

f93cd82a

1999-09-04T22:13:13

bzip2-0.9.5d

977101ad

1998-08-23T22:13:13

bzip2-0.9.0c

kc3-lang/bzip2/decompress.c

decompress.c

Log