avoid integer overflow for CVE-2010-0001

Jim Meyering · vapier · commit bad3da2a28af · 2010-02-08T20:15:58.000-05:00
URL: http://bugzilla.redhat.com/554418 Reported-by: Aki Helin <aki.helin@iki.fi> Signed-off-by: Jim Meyering <meyering@redhat.com> Signed-off-by: Mike Frysinger <vapier@gmail.com>
diff --git a/ChangeLog b/ChangeLog
@@ -1,3 +1,6 @@
+0.2
+	* Avoid integer overflow for CVE-2010-0001
+
 0.1.2
 	* Bundle testsuite
 	* Fix liblzw.pc.in file as pointed out by Tester A.
diff --git a/lzw.c b/lzw.c
@@ -214,8 +214,9 @@ ssize_t lzw_read(lzwFile *lzw, void *readbuf, size_t count)
 	do {
 resetbuf:
 		{
-			int	i, e, o;
-			e = lzw->insize - (o = (lzw->posbits >> 3));
+			size_t i, e, o;
+			o = lzw->posbits >> 3;
+			e = o <= lzw->insize ? lzw->insize - o : 0;
 
 			for (i = 0; i < e; ++i)
 				inbuf[i] = inbuf[i+o];
