From: Ross Lagerwall <ross.lagerwall@citrix.com>
Date: Thu, 8 Aug 2024 11:55:01 +0000 (+0200)
Subject: bunzip2: fix rare decompression failure
X-Git-Tag: RELEASE-4.17.5~10
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=d663711c05883948d306fea59a2c834a7a3b94da;p=xen.git

bunzip2: fix rare decompression failure

The decompression code parses a huffman tree and counts the number of
symbols for a given bit length.  In rare cases, there may be >= 256
symbols with a given bit length, causing the unsigned char to overflow.
This causes a decompression failure later when the code tries and fails to
find the bit length for a given symbol.

Since the maximum number of symbols is 258, use unsigned short instead.

Fixes: ab77e81f6521 ("x86/dom0: support bzip2 and lzma compressed bzImage payloads")
Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Acked-by: Jan Beulich <jbeulich@suse.com>
master commit: 303d3ff85c90ee4af4bad4e3b1d4932fa2634d64
master date: 2024-07-30 11:55:56 +0200
---

diff --git a/xen/common/bunzip2.c b/xen/common/bunzip2.c
index 4466426941..79f17162b1 100644
--- a/xen/common/bunzip2.c
+++ b/xen/common/bunzip2.c
@@ -221,7 +221,8 @@ static int __init get_next_block(struct bunzip_data *bd)
 	   RUNB) */
 	symCount = symTotal+2;
 	for (j = 0; j < groupCount; j++) {
-		unsigned char length[MAX_SYMBOLS], temp[MAX_HUFCODE_BITS+1];
+		unsigned char length[MAX_SYMBOLS];
+		unsigned short temp[MAX_HUFCODE_BITS+1];
 		int	minLen,	maxLen, pp;
 		/* Read Huffman code lengths for each symbol.  They're
 		   stored in a way similar to mtf; record a starting