gzip/gzip-1.3.12-cve_2006_4337.patch

130 lines
3.9 KiB
Diff
Raw Permalink Normal View History

diff -ru gzip-1.3.12/gzip.h gzip-1.3.12-fix/gzip.h
--- gzip-1.3.12/gzip.h 2007-03-20 06:09:51.000000000 +0100
+++ gzip-1.3.12-fix/gzip.h 2007-04-18 22:16:43.000000000 +0200
@@ -226,6 +226,8 @@
#define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
#define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
/* put_byte is used for the compressed output, put_ubyte for the
* uncompressed output. However unlzw() uses window for its
* suffix table instead of its output buffer, so it does not use put_ubyte
diff -ru gzip-1.3.12/unlzh.c gzip-1.3.12-fix/unlzh.c
--- gzip-1.3.12/unlzh.c 2007-04-18 22:08:04.000000000 +0200
+++ gzip-1.3.12-fix/unlzh.c 2007-04-18 22:16:12.000000000 +0200
@@ -153,8 +153,8 @@
start[1] = 0;
for (i = 1; i <= 16; i++)
start[i + 1] = start[i] + (count[i] << (16 - i));
- if ((start[17] & 0xffff) != 0)
- gzip_error ("Bad table\n");
+ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
+ gzip_error ("Bad table (case b)\n");
jutbits = 16 - tablebits;
for (i = 1; i <= (unsigned)tablebits; i++) {
@@ -168,15 +168,15 @@
i = start[tablebits + 1] >> jutbits;
if (i != 0) {
- k = 1 << tablebits;
- while (i != k) table[i++] = 0;
+ k = MIN(1 << tablebits, DIST_BUFSIZE);
+ while (i < k) table[i++] = 0;
}
avail = nchar;
mask = (unsigned) 1 << (15 - tablebits);
for (ch = 0; ch < (unsigned)nchar; ch++) {
if ((len = bitlen[ch]) == 0) continue;
- nextcode = start[len] + weight[len];
+ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
if (len <= (unsigned)tablebits) {
if ((unsigned) 1 << tablebits < nextcode)
gzip_error ("Bad table\n");
@@ -196,7 +196,7 @@
}
*p = ch;
}
- start[len] = nextcode;
+ start[len] = start[len] + weight[len];
}
}
@@ -219,7 +219,7 @@
for (i = 0; i < 256; i++) pt_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NPT)) {
c = bitbuf >> (BITBUFSIZ - 3);
if (c == 7) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -231,7 +231,7 @@
pt_len[i++] = c;
if (i == i_special) {
c = getbits(2);
- while (--c >= 0) pt_len[i++] = 0;
+ while (--c >= 0 && i < NPT) pt_len[i++] = 0;
}
}
while (i < nn) pt_len[i++] = 0;
@@ -251,7 +251,7 @@
for (i = 0; i < 4096; i++) c_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NC)) {
c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
if (c >= NT) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -266,7 +266,7 @@
if (c == 0) c = 1;
else if (c == 1) c = getbits(4) + 3;
else c = getbits(CBIT) + 20;
- while (--c >= 0) c_len[i++] = 0;
+ while (--c >= 0 && i < NC) c_len[i++] = 0;
} else c_len[i++] = c - 2;
}
while (i < NC) c_len[i++] = 0;
@@ -359,7 +359,7 @@
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
for ( ; ; ) {
c = decode_c();
@@ -369,14 +369,14 @@
}
if (c <= UCHAR_MAX) {
buffer[r] = c;
- if (++r == count) return r;
+ if (++r >= count) return r;
} else {
j = c - (UCHAR_MAX + 1 - THRESHOLD);
i = (r - decode_p() - 1) & (DICSIZ - 1);
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
}
}
diff -ru gzip-1.3.12/unpack.c gzip-1.3.12-fix/unpack.c
--- gzip-1.3.12/unpack.c 2007-04-18 22:08:04.000000000 +0200
+++ gzip-1.3.12-fix/unpack.c 2007-04-18 22:17:06.000000000 +0200
@@ -26,9 +26,6 @@
#include "gzip.h"
#include "crypt.h"
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
-/* The arguments must not have side effects. */
-
#define MAX_BITLEN 25
/* Maximum length of Huffman codes. (Minor modifications to the code
* would be needed to support 32 bits codes, but pack never generates