lib: decompress_bunzip2: fix 32-bit shift undefined behavior

Fix undefined behavior caused by shifting a 32-bit integer by 32 bits
during decompression.  This prevents potential kernel decompression
failures or corruption when parsing malicious or malformed bzip2 archives.

Link: https://lkml.kernel.org/r/20260308165012.2872633-1-objecting@objecting.org
Signed-off-by: Josh Law <objecting@objecting.org>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/lib/decompress_bunzip2.c b/lib/decompress_bunzip2.c
index ca736166f10009e9d0fa9f3582acaae3f5d29ec8..1288f146661f1c177389a2f105dd489822dd8bb5 100644 (file)
--- a/lib/decompress_bunzip2.c
+++ b/lib/decompress_bunzip2.c
@@ -135,7 +135,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
                }
                /* Avoid 32-bit overflow (dump bit buffer to top of output) */
                if (bd->inbufBitCount >= 24) {
-                       bits = bd->inbufBits&((1 << bd->inbufBitCount)-1);
+                       bits = bd->inbufBits & ((1ULL << bd->inbufBitCount) - 1);
                        bits_wanted -= bd->inbufBitCount;
                        bits <<= bits_wanted;
                        bd->inbufBitCount = 0;
@@ -146,7 +146,7 @@ static unsigned int INIT get_bits(struct bunzip_data *bd, char bits_wanted)
        }
        /* Calculate result */
        bd->inbufBitCount -= bits_wanted;
-       bits |= (bd->inbufBits >> bd->inbufBitCount)&((1 << bits_wanted)-1);
+       bits |= (bd->inbufBits >> bd->inbufBitCount) & ((1ULL << bits_wanted) - 1);
 
        return bits;
 }