File 54c90530-bunzip2-off-by-one-in-get_next_block.patch of Package xen.481

# Commit 39798e95a954eec660a3f5f21489c30ef78daf6d
# Date 2015-01-28 16:50:08 +0100
# Author Dan Carpenter <dan.carpenter@oracle.com>
# Committer Jan Beulich <jbeulich@suse.com>
bunzip2: off by one in get_next_block()

"origPtr" is used as an offset into the bd->dbuf[] array.  That array is
allocated in start_bunzip() and has "bd->dbufSize" number of elements so
the test here should be >= instead of >.

Later we check "origPtr" again before using it as an offset so I don't
know if this bug can be triggered in real life.

Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>

Trivial adjustments to make the respective Linux commit
b5c8afe5be51078a979d86ae5ae78c4ac948063d apply to Xen.

Signed-off-by: Jan Beulich <jbeulich@suse.com>
Acked-by: Ian Campbell <ian.campbell@citrix.com>

--- a/xen/common/bunzip2.c
+++ b/xen/common/bunzip2.c
@@ -174,7 +174,7 @@ static int INIT get_next_block(struct bu
 	if (get_bits(bd, 1))
 		return RETVAL_OBSOLETE_INPUT;
 	origPtr = get_bits(bd, 24);
-	if (origPtr > dbufSize)
+	if (origPtr >= dbufSize)
 		return RETVAL_DATA_ERROR;
 	/* mapping table: if some byte values are never used (encoding things
 	   like ascii text), the compression code removes the gaps to have fewer