Check for upper bounds of nselectors. Currently there is no check for the upper bounds of the nselectors. Hence, a corrupt input can cause a segfault. This issue was discovered by one of our fuzzers. The actual error was: ../bzip2-1.0.6/decompress.c:299:10: runtime error: index 18002 out of bounds for type 'UChar [18002]' Change-Id: I1f749ca7a54cce95d671f184b6425ac659767ffc

commit: f2552dac2d5627dc249d1c16bfc5966db13de869 [log] [tgz]
author: Amin Hassani <ahassani@chromium.org> Fri Mar 08 09:58:20 2019 -0800
committer: Sen Jiang <senj@google.com> Fri Mar 29 17:42:48 2019 -0700
tree: 459c0897fe282d9f4f3f440aaf2b9e12db40ccae
parent: ac0f84bf6789a6bf512478bad525320479872341 [diff]
diff --git a/decompress.c b/decompress.c
index 311f566..391552d 100644
--- a/decompress.c
+++ b/decompress.c

@@ -288,6 +288,7 @@
       if (nGroups < 2 || nGroups > 6) RETURN(BZ_DATA_ERROR);
       GET_BITS(BZ_X_SELECTOR_2, nSelectors, 15);
       if (nSelectors < 1) RETURN(BZ_DATA_ERROR);
+      if (nSelectors > BZ_MAX_SELECTORS) RETURN(BZ_DATA_ERROR);
       for (i = 0; i < nSelectors; i++) {
          j = 0;
          while (True) {
commit	f2552dac2d5627dc249d1c16bfc5966db13de869	[log] [tgz]
author	Amin Hassani <ahassani@chromium.org>	Fri Mar 08 09:58:20 2019 -0800
committer	Sen Jiang <senj@google.com>	Fri Mar 29 17:42:48 2019 -0700
tree	459c0897fe282d9f4f3f440aaf2b9e12db40ccae
parent	ac0f84bf6789a6bf512478bad525320479872341 [diff]