| Revision | cd28e52cc3631e2a336a7bbaa9d01e8478eb759c (tree) |
|---|---|
| Zeit | 2005-07-27 00:47:36 |
| Autor | Tim Yamin <plasmaroo@gent...> |
| Commiter | Marcelo Tosatti |
The gzip description is as good as the ChangeLog says it is -: "Set n to
length of v, to detect improper tables" and "Don't accidentally grow j
past z". The return 2 instead of the return 0 is so that we actually
error out if we also get inproper tables (for some reason the code
returned "OK" in such cases).
Fix outstanding security bugs in the Linux zlib implementations. See:
a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584
Signed-off-by: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Tavis Ormandy <taviso@gentoo.org>
arch/ppc/boot/lib/zlib.c (diff) arch/ppc64/boot/zlib.c (diff) lib/inflate.c (diff) lib/zlib_inflate/inftrees.c (diff)| @@ -1278,7 +1278,7 @@ z_stream *zs; /* for zalloc function */ | ||
| 1278 | 1278 | { |
| 1279 | 1279 | *t = (inflate_huft *)Z_NULL; |
| 1280 | 1280 | *m = 0; |
| 1281 | - return Z_OK; | |
| 1281 | + return Z_DATA_ERROR; | |
| 1282 | 1282 | } |
| 1283 | 1283 | |
| 1284 | 1284 |
| @@ -1322,6 +1322,7 @@ z_stream *zs; /* for zalloc function */ | ||
| 1322 | 1322 | if ((j = *p++) != 0) |
| 1323 | 1323 | v[x[j]++] = i; |
| 1324 | 1324 | } while (++i < n); |
| 1325 | + n = x[g]; /* set n to length of v */ | |
| 1325 | 1326 | |
| 1326 | 1327 | |
| 1327 | 1328 | /* Generate the Huffman codes and for each, make the table entries */ |
| @@ -1294,7 +1294,7 @@ z_stream *zs; /* for zalloc function */ | ||
| 1294 | 1294 | { |
| 1295 | 1295 | *t = (inflate_huft *)Z_NULL; |
| 1296 | 1296 | *m = 0; |
| 1297 | - return Z_OK; | |
| 1297 | + return Z_DATA_ERROR; | |
| 1298 | 1298 | } |
| 1299 | 1299 | |
| 1300 | 1300 |
| @@ -1338,6 +1338,7 @@ z_stream *zs; /* for zalloc function */ | ||
| 1338 | 1338 | if ((j = *p++) != 0) |
| 1339 | 1339 | v[x[j]++] = i; |
| 1340 | 1340 | } while (++i < n); |
| 1341 | + n = x[g]; /* set n to length of v */ | |
| 1341 | 1342 | |
| 1342 | 1343 | |
| 1343 | 1344 | /* Generate the Huffman codes and for each, make the table entries */ |
| @@ -320,7 +320,7 @@ DEBG("huft1 "); | ||
| 320 | 320 | { |
| 321 | 321 | *t = (struct huft *)NULL; |
| 322 | 322 | *m = 0; |
| 323 | - return 0; | |
| 323 | + return 2; | |
| 324 | 324 | } |
| 325 | 325 | |
| 326 | 326 | DEBG("huft2 "); |
| @@ -368,6 +368,7 @@ DEBG("huft5 "); | ||
| 368 | 368 | if ((j = *p++) != 0) |
| 369 | 369 | v[x[j]++] = i; |
| 370 | 370 | } while (++i < n); |
| 371 | + n = x[g]; /* set n to length of v */ | |
| 371 | 372 | |
| 372 | 373 | DEBG("h6 "); |
| 373 | 374 |
| @@ -404,12 +405,13 @@ DEBG1("1 "); | ||
| 404 | 405 | DEBG1("2 "); |
| 405 | 406 | f -= a + 1; /* deduct codes from patterns left */ |
| 406 | 407 | xp = c + k; |
| 407 | - while (++j < z) /* try smaller tables up to z bits */ | |
| 408 | - { | |
| 409 | - if ((f <<= 1) <= *++xp) | |
| 410 | - break; /* enough codes to use up j bits */ | |
| 411 | - f -= *xp; /* else deduct codes from patterns */ | |
| 412 | - } | |
| 408 | + if (j < z) | |
| 409 | + while (++j < z) /* try smaller tables up to z bits */ | |
| 410 | + { | |
| 411 | + if ((f <<= 1) <= *++xp) | |
| 412 | + break; /* enough codes to use up j bits */ | |
| 413 | + f -= *xp; /* else deduct codes from patterns */ | |
| 414 | + } | |
| 413 | 415 | } |
| 414 | 416 | DEBG1("3 "); |
| 415 | 417 | z = 1 << j; /* table entries for j-bit table */ |
| @@ -140,7 +140,7 @@ uIntf *v; /* working area: values in order of bit length */ | ||
| 140 | 140 | { |
| 141 | 141 | *t = (inflate_huft *)Z_NULL; |
| 142 | 142 | *m = 0; |
| 143 | - return Z_OK; | |
| 143 | + return Z_DATA_ERROR; | |
| 144 | 144 | } |
| 145 | 145 | |
| 146 | 146 |
Linux Kernel Documents
Fork