Make sure nSelectors is not out of range nSelectors is used in a loop from 0 to nSelectors to access selectorMtf which is UChar selectorMtf[BZ_MAX_SELECTORS]; so if nSelectors is bigger than BZ_MAX_SELECTORS it'll do an invalid memory access Fixes out of bounds access discovered while fuzzying karchive This was reported as CVE-2019-12900 BZ2_decompress in decompress.c in bzip2 through 1.0.6 has an out-of-bounds write when there are many selectors.

commit: 7ed62bfb46e87a9e878712603469440e6882b184 [log] [tgz]
author: Albert Astals Cid <aacid@kde.org> Tue May 28 19:35:18 2019 +0200
committer: Mark Wielaard <mark@klomp.org> Mon Jun 24 15:34:05 2019 +0200
tree: 2ab31d696610797b6913cce701a71e70eb19a6a7
parent: 16f2c753f9959e8d7c7e1fa771b8ccc5821427aa [diff]
diff --git a/decompress.c b/decompress.c
index ab6a624..f3db91d 100644
--- a/decompress.c
+++ b/decompress.c

@@ -287,7 +287,7 @@
       GET_BITS(BZ_X_SELECTOR_1, nGroups, 3);
       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
-      if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+      if (nSelectors < 1 || nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
       for (i = 0; i < nSelectors; i++) {
          j = 0;
          while (True) {
commit	7ed62bfb46e87a9e878712603469440e6882b184	[log] [tgz]
author	Albert Astals Cid <aacid@kde.org>	Tue May 28 19:35:18 2019 +0200
committer	Mark Wielaard <mark@klomp.org>	Mon Jun 24 15:34:05 2019 +0200
tree	2ab31d696610797b6913cce701a71e70eb19a6a7
parent	16f2c753f9959e8d7c7e1fa771b8ccc5821427aa [diff]