From 0c339f2ee6517d12c61416d9cd3e3c51496db8bd Mon Sep 17 00:00:00 2001
From: isra17 <isra017@gmail.com>
Date: Tue, 19 Jul 2022 21:42:01 -0400
Subject: [PATCH] Fix CVE-2019-12900

---
 nrs/ext/bzlib/decompress.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/nrs/ext/bzlib/decompress.c b/nrs/ext/bzlib/decompress.c
index 8b0f00c..2a942a6 100644
--- a/nrs/ext/bzlib/decompress.c
+++ b/nrs/ext/bzlib/decompress.c
@@ -252,8 +252,14 @@ Int32 NSISCALL BZ2_decompress ( DState* s )
             j++;
             if (j >= nGroups) RETURN(BZ_DATA_ERROR);
          }
-         s->selectorMtf[i] = j;
+         /* Having more than BZ_MAX_SELECTORS doesn't make much sense
+            since they will never be used, but some implementations might
+            "round up" the number of selectors, so just ignore those. */
+         if (i < BZ_MAX_SELECTORS)
+           s->selectorMtf[i] = j;
       }
+      if (nSelectors > BZ_MAX_SELECTORS)
+        nSelectors = BZ_MAX_SELECTORS;
 
       /*--- Undo the MTF values for the selectors. ---*/
       {