OpenPKG Specs: gzip/gzip.patch@2289d64c2123 (annotated)

gzip/gzip.patch@2289d64c2123 (annotated)

gzip/gzip.patch

Mon, 28 Mar 2011 19:41:02 +0200

author: Michael Schloh von Bennewitz <michael@schloh.com>
date: Mon, 28 Mar 2011 19:41:02 +0200
changeset 332: 2289d64c2123
permissions: -rw-r--r--

Completely rework package including...
Simpify 64-bit -fPIC logic, instruct make to build in parallel,
force error condition on failed profile dependency, build the
standard 'bootstrap' target as suggested, correct grammar, wording,
and punctuation in general, upgrade to latest upstream vendor version,
rearrange package dependencies mpc, mpfr, and gmp, correct buildconf
thanks to new lto-plugin forced, avoid failed platform specific stage
comparison, adjust patch code to reflect new version update, and most
importantly adjust optimization flags to platform. Please note that
block 'correct hardcoded paths' is likely no yet complete.

 Security Fix
 Index: gzip.c
 --- gzip.c.orig	2009-09-26 20:56:02 +0200
 +++ gzip.c	2009-10-07 07:59:53 +0200
@@ -168,7 +168,7 @@
  DECLARE(uch, inbuf,  INBUFSIZ +INBUF_EXTRA);
  DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);
  DECLARE(ush, d_buf,  DIST_BUFSIZE);
 -DECLARE(uch, window, 2L*WSIZE);
 +DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */
  #ifndef MAXSEG_64K
      DECLARE(ush, tab_prefix, 1L<<BITS);
  #else
 -----------------------------------------------------------------------------
 Security Fixes
 - OOB write        (CVE-2006-4335)
 - Buffer underflow (CVE-2006-4336)
 - Buffer overflow  (CVE-2006-4337)
 - Infinite loop    (CVE-2006-4338)
 Index: gzip.h
 --- gzip.h.orig	2009-09-26 20:43:28 +0200
 +++ gzip.h	2009-10-07 07:59:53 +0200
@@ -223,6 +223,8 @@
  extern int to_stdout;      /* output to stdout (-c) */
  extern int save_orig_name; /* set if original name must be saved */
 +#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 +
  #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
  #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 Index: unlzh.c
 --- unlzh.c.orig	2009-09-26 20:20:40 +0200
 +++ unlzh.c	2009-10-07 07:59:53 +0200
@@ -141,12 +141,17 @@
      unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
      for (i = 1; i <= 16; i++) count[i] = 0;
 -    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
 +    for (i = 0; i < (unsigned)nchar; i++) {
 +        if (bitlen[i] > 16)
 +            error("Bad table\n");
 +        else
 +            count[bitlen[i]]++;
 +    }
      start[1] = 0;
      for (i = 1; i <= 16; i++)
  	start[i + 1] = start[i] + (count[i] << (16 - i));
 -    if ((start[17] & 0xffff) != 0)
 +    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
        gzip_error ("Bad table\n");
      jutbits = 16 - tablebits;
@@ -161,15 +166,15 @@
      i = start[tablebits + 1] >> jutbits;
      if (i != 0) {
 -	k = 1 << tablebits;
 -	while (i != k) table[i++] = 0;
 +	k = MIN(1 << tablebits, DIST_BUFSIZE);
 +	while (i < k) table[i++] = 0;
      }
      avail = nchar;
      mask = (unsigned) 1 << (15 - tablebits);
      for (ch = 0; ch < (unsigned)nchar; ch++) {
  	if ((len = bitlen[ch]) == 0) continue;
 -	nextcode = start[len] + weight[len];
 +	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
  	if (len <= (unsigned)tablebits) {
  	    if ((unsigned) 1 << tablebits < nextcode)
  	      gzip_error ("Bad table\n");
@@ -212,7 +217,7 @@
  	for (i = 0; i < 256; i++) pt_table[i] = c;
      } else {
  	i = 0;
 -	while (i < n) {
 +	while (i < MIN(n,NPT)) {
  	    c = bitbuf >> (BITBUFSIZ - 3);
  	    if (c == 7) {
  		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -224,7 +229,7 @@
  	    pt_len[i++] = c;
  	    if (i == i_special) {
  		c = getbits(2);
 -		while (--c >= 0) pt_len[i++] = 0;
 +		while (--c >= 0 && i < NPT) pt_len[i++] = 0;
  	    }
  	}
  	while (i < nn) pt_len[i++] = 0;
@@ -244,7 +249,7 @@
  	for (i = 0; i < 4096; i++) c_table[i] = c;
      } else {
  	i = 0;
 -	while (i < n) {
 +	while (i < MIN(n,NC)) {
  	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
  	    if (c >= NT) {
  		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -252,14 +257,14 @@
  		    if (bitbuf & mask) c = right[c];
  		    else               c = left [c];
  		    mask >>= 1;
 -		} while (c >= NT);
 +		} while (c >= NT && (mask || c != left[c]));
  	    }
  	    fillbuf((int) pt_len[c]);
  	    if (c <= 2) {
  		if      (c == 0) c = 1;
  		else if (c == 1) c = getbits(4) + 3;
  		else             c = getbits(CBIT) + 20;
 -		while (--c >= 0) c_len[i++] = 0;
 +		while (--c >= 0 && i < NC) c_len[i++] = 0;
  	    } else c_len[i++] = c - 2;
  	}
  	while (i < NC) c_len[i++] = 0;
@@ -288,7 +293,7 @@
  	    if (bitbuf & mask) j = right[j];
  	    else               j = left [j];
  	    mask >>= 1;
 -	} while (j >= NC);
 +	} while (j >= NC && (mask || j != left[j]));
      }
      fillbuf((int) c_len[j]);
      return j;
@@ -305,7 +310,7 @@
  	    if (bitbuf & mask) j = right[j];
  	    else               j = left [j];
  	    mask >>= 1;
 -	} while (j >= NP);
 +	} while (j >= NP && (mask || j != left[j]));
      }
      fillbuf((int) pt_len[j]);
      if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
@@ -352,7 +357,7 @@
      while (--j >= 0) {
  	buffer[r] = buffer[i];
  	i = (i + 1) & (DICSIZ - 1);
 -	if (++r == count) return r;
 +	if (++r >= count) return r;
      }
      for ( ; ; ) {
  	c = decode_c();
@@ -362,14 +367,14 @@
  	}
  	if (c <= UCHAR_MAX) {
  	    buffer[r] = c;
 -	    if (++r == count) return r;
 +	    if (++r >= count) return r;
  	} else {
  	    j = c - (UCHAR_MAX + 1 - THRESHOLD);
  	    i = (r - decode_p() - 1) & (DICSIZ - 1);
  	    while (--j >= 0) {
  		buffer[r] = buffer[i];
  		i = (i + 1) & (DICSIZ - 1);
 -		if (++r == count) return r;
 +		if (++r >= count) return r;
  	    }
  	}
      }
 Index: unpack.c
 --- unpack.c.orig	2009-09-26 20:43:28 +0200
 +++ unpack.c	2009-10-07 07:59:53 +0200
@@ -22,7 +22,6 @@
  #include "gzip.h"
  #include "crypt.h"
 -#define MIN(a,b) ((a) <= (b) ? (a) : (b))
  /* The arguments must not have side effects. */
  #define MAX_BITLEN 25
@@ -146,7 +145,7 @@
  	/* Remember where the literals of this length start in literal[] : */
  	lit_base[len] = base;
  	/* And read the literals: */
 -	for (n = leaves[len]; n > 0; n--) {
 +	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
  	    literal[base++] = (uch)get_byte();
  	}
      }
@@ -182,7 +181,7 @@
      prefixp = &prefix_len[1<<peek_bits];
      for (len = 1; len <= peek_bits; len++) {
  	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
 -	while (prefixes--) *--prefixp = (uch)len;
 +	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
      }
      /* The length of all other codes is unknown: */
      while (prefixp > prefix_len) *--prefixp = 0;

OpenPKG Specs / annotate

gzip/gzip.patch@2289d64c2123 (annotated)

gzip/gzip.patch