gzip/gzip.patch@6b1bca241155 (annotated)
gzip/gzip.patch
Wed, 08 Feb 2012 20:15:50 +0200
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Wed, 08 Feb 2012 20:15:50 +0200
- changeset 602
- 6b1bca241155
- permissions
- -rw-r--r--
Update source URI to canonical location.
| michael@241 | 1 | Security Fix |
| michael@241 | 2 | |
| michael@241 | 3 | Index: gzip.c |
| michael@241 | 4 | --- gzip.c.orig 2009-09-26 20:56:02 +0200 |
| michael@241 | 5 | +++ gzip.c 2009-10-07 07:59:53 +0200 |
| michael@241 | 6 | @@ -168,7 +168,7 @@ |
| michael@241 | 7 | DECLARE(uch, inbuf, INBUFSIZ +INBUF_EXTRA); |
| michael@241 | 8 | DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA); |
| michael@241 | 9 | DECLARE(ush, d_buf, DIST_BUFSIZE); |
| michael@241 | 10 | -DECLARE(uch, window, 2L*WSIZE); |
| michael@241 | 11 | +DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */ |
| michael@241 | 12 | #ifndef MAXSEG_64K |
| michael@241 | 13 | DECLARE(ush, tab_prefix, 1L<<BITS); |
| michael@241 | 14 | #else |
| michael@241 | 15 | |
| michael@241 | 16 | ----------------------------------------------------------------------------- |
| michael@241 | 17 | |
| michael@241 | 18 | Security Fixes |
| michael@241 | 19 | - OOB write (CVE-2006-4335) |
| michael@241 | 20 | - Buffer underflow (CVE-2006-4336) |
| michael@241 | 21 | - Buffer overflow (CVE-2006-4337) |
| michael@241 | 22 | - Infinite loop (CVE-2006-4338) |
| michael@241 | 23 | |
| michael@241 | 24 | Index: gzip.h |
| michael@241 | 25 | --- gzip.h.orig 2009-09-26 20:43:28 +0200 |
| michael@241 | 26 | +++ gzip.h 2009-10-07 07:59:53 +0200 |
| michael@241 | 27 | @@ -223,6 +223,8 @@ |
| michael@241 | 28 | extern int to_stdout; /* output to stdout (-c) */ |
| michael@241 | 29 | extern int save_orig_name; /* set if original name must be saved */ |
| michael@241 | 30 | |
| michael@241 | 31 | +#define MIN(a,b) ((a) <= (b) ? (a) : (b)) |
| michael@241 | 32 | + |
| michael@241 | 33 | #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0)) |
| michael@241 | 34 | #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1)) |
| michael@241 | 35 | |
| michael@241 | 36 | Index: unlzh.c |
| michael@241 | 37 | --- unlzh.c.orig 2009-09-26 20:20:40 +0200 |
| michael@241 | 38 | +++ unlzh.c 2009-10-07 07:59:53 +0200 |
| michael@241 | 39 | @@ -141,12 +141,17 @@ |
| michael@241 | 40 | unsigned i, k, len, ch, jutbits, avail, nextcode, mask; |
| michael@241 | 41 | |
| michael@241 | 42 | for (i = 1; i <= 16; i++) count[i] = 0; |
| michael@241 | 43 | - for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; |
| michael@241 | 44 | + for (i = 0; i < (unsigned)nchar; i++) { |
| michael@241 | 45 | + if (bitlen[i] > 16) |
| michael@241 | 46 | + error("Bad table\n"); |
| michael@241 | 47 | + else |
| michael@241 | 48 | + count[bitlen[i]]++; |
| michael@241 | 49 | + } |
| michael@241 | 50 | |
| michael@241 | 51 | start[1] = 0; |
| michael@241 | 52 | for (i = 1; i <= 16; i++) |
| michael@241 | 53 | start[i + 1] = start[i] + (count[i] << (16 - i)); |
| michael@241 | 54 | - if ((start[17] & 0xffff) != 0) |
| michael@241 | 55 | + if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ |
| michael@241 | 56 | gzip_error ("Bad table\n"); |
| michael@241 | 57 | |
| michael@241 | 58 | jutbits = 16 - tablebits; |
| michael@241 | 59 | @@ -161,15 +166,15 @@ |
| michael@241 | 60 | |
| michael@241 | 61 | i = start[tablebits + 1] >> jutbits; |
| michael@241 | 62 | if (i != 0) { |
| michael@241 | 63 | - k = 1 << tablebits; |
| michael@241 | 64 | - while (i != k) table[i++] = 0; |
| michael@241 | 65 | + k = MIN(1 << tablebits, DIST_BUFSIZE); |
| michael@241 | 66 | + while (i < k) table[i++] = 0; |
| michael@241 | 67 | } |
| michael@241 | 68 | |
| michael@241 | 69 | avail = nchar; |
| michael@241 | 70 | mask = (unsigned) 1 << (15 - tablebits); |
| michael@241 | 71 | for (ch = 0; ch < (unsigned)nchar; ch++) { |
| michael@241 | 72 | if ((len = bitlen[ch]) == 0) continue; |
| michael@241 | 73 | - nextcode = start[len] + weight[len]; |
| michael@241 | 74 | + nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); |
| michael@241 | 75 | if (len <= (unsigned)tablebits) { |
| michael@241 | 76 | if ((unsigned) 1 << tablebits < nextcode) |
| michael@241 | 77 | gzip_error ("Bad table\n"); |
| michael@241 | 78 | @@ -212,7 +217,7 @@ |
| michael@241 | 79 | for (i = 0; i < 256; i++) pt_table[i] = c; |
| michael@241 | 80 | } else { |
| michael@241 | 81 | i = 0; |
| michael@241 | 82 | - while (i < n) { |
| michael@241 | 83 | + while (i < MIN(n,NPT)) { |
| michael@241 | 84 | c = bitbuf >> (BITBUFSIZ - 3); |
| michael@241 | 85 | if (c == 7) { |
| michael@241 | 86 | mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); |
| michael@241 | 87 | @@ -224,7 +229,7 @@ |
| michael@241 | 88 | pt_len[i++] = c; |
| michael@241 | 89 | if (i == i_special) { |
| michael@241 | 90 | c = getbits(2); |
| michael@241 | 91 | - while (--c >= 0) pt_len[i++] = 0; |
| michael@241 | 92 | + while (--c >= 0 && i < NPT) pt_len[i++] = 0; |
| michael@241 | 93 | } |
| michael@241 | 94 | } |
| michael@241 | 95 | while (i < nn) pt_len[i++] = 0; |
| michael@241 | 96 | @@ -244,7 +249,7 @@ |
| michael@241 | 97 | for (i = 0; i < 4096; i++) c_table[i] = c; |
| michael@241 | 98 | } else { |
| michael@241 | 99 | i = 0; |
| michael@241 | 100 | - while (i < n) { |
| michael@241 | 101 | + while (i < MIN(n,NC)) { |
| michael@241 | 102 | c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; |
| michael@241 | 103 | if (c >= NT) { |
| michael@241 | 104 | mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); |
| michael@241 | 105 | @@ -252,14 +257,14 @@ |
| michael@241 | 106 | if (bitbuf & mask) c = right[c]; |
| michael@241 | 107 | else c = left [c]; |
| michael@241 | 108 | mask >>= 1; |
| michael@241 | 109 | - } while (c >= NT); |
| michael@241 | 110 | + } while (c >= NT && (mask || c != left[c])); |
| michael@241 | 111 | } |
| michael@241 | 112 | fillbuf((int) pt_len[c]); |
| michael@241 | 113 | if (c <= 2) { |
| michael@241 | 114 | if (c == 0) c = 1; |
| michael@241 | 115 | else if (c == 1) c = getbits(4) + 3; |
| michael@241 | 116 | else c = getbits(CBIT) + 20; |
| michael@241 | 117 | - while (--c >= 0) c_len[i++] = 0; |
| michael@241 | 118 | + while (--c >= 0 && i < NC) c_len[i++] = 0; |
| michael@241 | 119 | } else c_len[i++] = c - 2; |
| michael@241 | 120 | } |
| michael@241 | 121 | while (i < NC) c_len[i++] = 0; |
| michael@241 | 122 | @@ -288,7 +293,7 @@ |
| michael@241 | 123 | if (bitbuf & mask) j = right[j]; |
| michael@241 | 124 | else j = left [j]; |
| michael@241 | 125 | mask >>= 1; |
| michael@241 | 126 | - } while (j >= NC); |
| michael@241 | 127 | + } while (j >= NC && (mask || j != left[j])); |
| michael@241 | 128 | } |
| michael@241 | 129 | fillbuf((int) c_len[j]); |
| michael@241 | 130 | return j; |
| michael@241 | 131 | @@ -305,7 +310,7 @@ |
| michael@241 | 132 | if (bitbuf & mask) j = right[j]; |
| michael@241 | 133 | else j = left [j]; |
| michael@241 | 134 | mask >>= 1; |
| michael@241 | 135 | - } while (j >= NP); |
| michael@241 | 136 | + } while (j >= NP && (mask || j != left[j])); |
| michael@241 | 137 | } |
| michael@241 | 138 | fillbuf((int) pt_len[j]); |
| michael@241 | 139 | if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); |
| michael@241 | 140 | @@ -352,7 +357,7 @@ |
| michael@241 | 141 | while (--j >= 0) { |
| michael@241 | 142 | buffer[r] = buffer[i]; |
| michael@241 | 143 | i = (i + 1) & (DICSIZ - 1); |
| michael@241 | 144 | - if (++r == count) return r; |
| michael@241 | 145 | + if (++r >= count) return r; |
| michael@241 | 146 | } |
| michael@241 | 147 | for ( ; ; ) { |
| michael@241 | 148 | c = decode_c(); |
| michael@241 | 149 | @@ -362,14 +367,14 @@ |
| michael@241 | 150 | } |
| michael@241 | 151 | if (c <= UCHAR_MAX) { |
| michael@241 | 152 | buffer[r] = c; |
| michael@241 | 153 | - if (++r == count) return r; |
| michael@241 | 154 | + if (++r >= count) return r; |
| michael@241 | 155 | } else { |
| michael@241 | 156 | j = c - (UCHAR_MAX + 1 - THRESHOLD); |
| michael@241 | 157 | i = (r - decode_p() - 1) & (DICSIZ - 1); |
| michael@241 | 158 | while (--j >= 0) { |
| michael@241 | 159 | buffer[r] = buffer[i]; |
| michael@241 | 160 | i = (i + 1) & (DICSIZ - 1); |
| michael@241 | 161 | - if (++r == count) return r; |
| michael@241 | 162 | + if (++r >= count) return r; |
| michael@241 | 163 | } |
| michael@241 | 164 | } |
| michael@241 | 165 | } |
| michael@241 | 166 | Index: unpack.c |
| michael@241 | 167 | --- unpack.c.orig 2009-09-26 20:43:28 +0200 |
| michael@241 | 168 | +++ unpack.c 2009-10-07 07:59:53 +0200 |
| michael@241 | 169 | @@ -22,7 +22,6 @@ |
| michael@241 | 170 | #include "gzip.h" |
| michael@241 | 171 | #include "crypt.h" |
| michael@241 | 172 | |
| michael@241 | 173 | -#define MIN(a,b) ((a) <= (b) ? (a) : (b)) |
| michael@241 | 174 | /* The arguments must not have side effects. */ |
| michael@241 | 175 | |
| michael@241 | 176 | #define MAX_BITLEN 25 |
| michael@241 | 177 | @@ -146,7 +145,7 @@ |
| michael@241 | 178 | /* Remember where the literals of this length start in literal[] : */ |
| michael@241 | 179 | lit_base[len] = base; |
| michael@241 | 180 | /* And read the literals: */ |
| michael@241 | 181 | - for (n = leaves[len]; n > 0; n--) { |
| michael@241 | 182 | + for (n = leaves[len]; n > 0 && base < LITERALS; n--) { |
| michael@241 | 183 | literal[base++] = (uch)get_byte(); |
| michael@241 | 184 | } |
| michael@241 | 185 | } |
| michael@241 | 186 | @@ -182,7 +181,7 @@ |
| michael@241 | 187 | prefixp = &prefix_len[1<<peek_bits]; |
| michael@241 | 188 | for (len = 1; len <= peek_bits; len++) { |
| michael@241 | 189 | int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */ |
| michael@241 | 190 | - while (prefixes--) *--prefixp = (uch)len; |
| michael@241 | 191 | + while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len; |
| michael@241 | 192 | } |
| michael@241 | 193 | /* The length of all other codes is unknown: */ |
| michael@241 | 194 | while (prefixp > prefix_len) *--prefixp = 0; |
