OpenPKG Specs / file diff

diff: gzip/gzip.patch

gzip/gzip.patch

changeset 241
b2ced78b5db3
     1.1 --- /dev/null	Thu Jan 01 00:00:00 1970 +0000
     1.2 +++ b/gzip/gzip.patch	Mon Nov 09 21:21:25 2009 +0100
     1.3 @@ -0,0 +1,194 @@
     1.4 +Security Fix
     1.5 +
     1.6 +Index: gzip.c
     1.7 +--- gzip.c.orig	2009-09-26 20:56:02 +0200
     1.8 ++++ gzip.c	2009-10-07 07:59:53 +0200
     1.9 +@@ -168,7 +168,7 @@
    1.10 + DECLARE(uch, inbuf,  INBUFSIZ +INBUF_EXTRA);
    1.11 + DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);
    1.12 + DECLARE(ush, d_buf,  DIST_BUFSIZE);
    1.13 +-DECLARE(uch, window, 2L*WSIZE);
    1.14 ++DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */
    1.15 + #ifndef MAXSEG_64K
    1.16 +     DECLARE(ush, tab_prefix, 1L<<BITS);
    1.17 + #else
    1.18 +
    1.19 +-----------------------------------------------------------------------------
    1.20 +
    1.21 +Security Fixes 
    1.22 +- OOB write        (CVE-2006-4335)
    1.23 +- Buffer underflow (CVE-2006-4336)
    1.24 +- Buffer overflow  (CVE-2006-4337)
    1.25 +- Infinite loop    (CVE-2006-4338)
    1.26 +
    1.27 +Index: gzip.h
    1.28 +--- gzip.h.orig	2009-09-26 20:43:28 +0200
    1.29 ++++ gzip.h	2009-10-07 07:59:53 +0200
    1.30 +@@ -223,6 +223,8 @@
    1.31 + extern int to_stdout;      /* output to stdout (-c) */
    1.32 + extern int save_orig_name; /* set if original name must be saved */
    1.33 + 
    1.34 ++#define MIN(a,b) ((a) <= (b) ? (a) : (b))
    1.35 ++
    1.36 + #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
    1.37 + #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
    1.38 + 
    1.39 +Index: unlzh.c
    1.40 +--- unlzh.c.orig	2009-09-26 20:20:40 +0200
    1.41 ++++ unlzh.c	2009-10-07 07:59:53 +0200
    1.42 +@@ -141,12 +141,17 @@
    1.43 +     unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
    1.44 + 
    1.45 +     for (i = 1; i <= 16; i++) count[i] = 0;
    1.46 +-    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
    1.47 ++    for (i = 0; i < (unsigned)nchar; i++) {
    1.48 ++        if (bitlen[i] > 16)
    1.49 ++            error("Bad table\n");
    1.50 ++        else
    1.51 ++            count[bitlen[i]]++;
    1.52 ++    }
    1.53 + 
    1.54 +     start[1] = 0;
    1.55 +     for (i = 1; i <= 16; i++)
    1.56 + 	start[i + 1] = start[i] + (count[i] << (16 - i));
    1.57 +-    if ((start[17] & 0xffff) != 0)
    1.58 ++    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
    1.59 +       gzip_error ("Bad table\n");
    1.60 + 
    1.61 +     jutbits = 16 - tablebits;
    1.62 +@@ -161,15 +166,15 @@
    1.63 + 
    1.64 +     i = start[tablebits + 1] >> jutbits;
    1.65 +     if (i != 0) {
    1.66 +-	k = 1 << tablebits;
    1.67 +-	while (i != k) table[i++] = 0;
    1.68 ++	k = MIN(1 << tablebits, DIST_BUFSIZE);
    1.69 ++	while (i < k) table[i++] = 0;
    1.70 +     }
    1.71 + 
    1.72 +     avail = nchar;
    1.73 +     mask = (unsigned) 1 << (15 - tablebits);
    1.74 +     for (ch = 0; ch < (unsigned)nchar; ch++) {
    1.75 + 	if ((len = bitlen[ch]) == 0) continue;
    1.76 +-	nextcode = start[len] + weight[len];
    1.77 ++	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
    1.78 + 	if (len <= (unsigned)tablebits) {
    1.79 + 	    if ((unsigned) 1 << tablebits < nextcode)
    1.80 + 	      gzip_error ("Bad table\n");
    1.81 +@@ -212,7 +217,7 @@
    1.82 + 	for (i = 0; i < 256; i++) pt_table[i] = c;
    1.83 +     } else {
    1.84 + 	i = 0;
    1.85 +-	while (i < n) {
    1.86 ++	while (i < MIN(n,NPT)) {
    1.87 + 	    c = bitbuf >> (BITBUFSIZ - 3);
    1.88 + 	    if (c == 7) {
    1.89 + 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
    1.90 +@@ -224,7 +229,7 @@
    1.91 + 	    pt_len[i++] = c;
    1.92 + 	    if (i == i_special) {
    1.93 + 		c = getbits(2);
    1.94 +-		while (--c >= 0) pt_len[i++] = 0;
    1.95 ++		while (--c >= 0 && i < NPT) pt_len[i++] = 0;
    1.96 + 	    }
    1.97 + 	}
    1.98 + 	while (i < nn) pt_len[i++] = 0;
    1.99 +@@ -244,7 +249,7 @@
   1.100 + 	for (i = 0; i < 4096; i++) c_table[i] = c;
   1.101 +     } else {
   1.102 + 	i = 0;
   1.103 +-	while (i < n) {
   1.104 ++	while (i < MIN(n,NC)) {
   1.105 + 	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
   1.106 + 	    if (c >= NT) {
   1.107 + 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
   1.108 +@@ -252,14 +257,14 @@
   1.109 + 		    if (bitbuf & mask) c = right[c];
   1.110 + 		    else               c = left [c];
   1.111 + 		    mask >>= 1;
   1.112 +-		} while (c >= NT);
   1.113 ++		} while (c >= NT && (mask || c != left[c]));
   1.114 + 	    }
   1.115 + 	    fillbuf((int) pt_len[c]);
   1.116 + 	    if (c <= 2) {
   1.117 + 		if      (c == 0) c = 1;
   1.118 + 		else if (c == 1) c = getbits(4) + 3;
   1.119 + 		else             c = getbits(CBIT) + 20;
   1.120 +-		while (--c >= 0) c_len[i++] = 0;
   1.121 ++		while (--c >= 0 && i < NC) c_len[i++] = 0;
   1.122 + 	    } else c_len[i++] = c - 2;
   1.123 + 	}
   1.124 + 	while (i < NC) c_len[i++] = 0;
   1.125 +@@ -288,7 +293,7 @@
   1.126 + 	    if (bitbuf & mask) j = right[j];
   1.127 + 	    else               j = left [j];
   1.128 + 	    mask >>= 1;
   1.129 +-	} while (j >= NC);
   1.130 ++	} while (j >= NC && (mask || j != left[j]));
   1.131 +     }
   1.132 +     fillbuf((int) c_len[j]);
   1.133 +     return j;
   1.134 +@@ -305,7 +310,7 @@
   1.135 + 	    if (bitbuf & mask) j = right[j];
   1.136 + 	    else               j = left [j];
   1.137 + 	    mask >>= 1;
   1.138 +-	} while (j >= NP);
   1.139 ++	} while (j >= NP && (mask || j != left[j]));
   1.140 +     }
   1.141 +     fillbuf((int) pt_len[j]);
   1.142 +     if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
   1.143 +@@ -352,7 +357,7 @@
   1.144 +     while (--j >= 0) {
   1.145 + 	buffer[r] = buffer[i];
   1.146 + 	i = (i + 1) & (DICSIZ - 1);
   1.147 +-	if (++r == count) return r;
   1.148 ++	if (++r >= count) return r;
   1.149 +     }
   1.150 +     for ( ; ; ) {
   1.151 + 	c = decode_c();
   1.152 +@@ -362,14 +367,14 @@
   1.153 + 	}
   1.154 + 	if (c <= UCHAR_MAX) {
   1.155 + 	    buffer[r] = c;
   1.156 +-	    if (++r == count) return r;
   1.157 ++	    if (++r >= count) return r;
   1.158 + 	} else {
   1.159 + 	    j = c - (UCHAR_MAX + 1 - THRESHOLD);
   1.160 + 	    i = (r - decode_p() - 1) & (DICSIZ - 1);
   1.161 + 	    while (--j >= 0) {
   1.162 + 		buffer[r] = buffer[i];
   1.163 + 		i = (i + 1) & (DICSIZ - 1);
   1.164 +-		if (++r == count) return r;
   1.165 ++		if (++r >= count) return r;
   1.166 + 	    }
   1.167 + 	}
   1.168 +     }
   1.169 +Index: unpack.c
   1.170 +--- unpack.c.orig	2009-09-26 20:43:28 +0200
   1.171 ++++ unpack.c	2009-10-07 07:59:53 +0200
   1.172 +@@ -22,7 +22,6 @@
   1.173 + #include "gzip.h"
   1.174 + #include "crypt.h"
   1.175 + 
   1.176 +-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
   1.177 + /* The arguments must not have side effects. */
   1.178 + 
   1.179 + #define MAX_BITLEN 25
   1.180 +@@ -146,7 +145,7 @@
   1.181 + 	/* Remember where the literals of this length start in literal[] : */
   1.182 + 	lit_base[len] = base;
   1.183 + 	/* And read the literals: */
   1.184 +-	for (n = leaves[len]; n > 0; n--) {
   1.185 ++	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
   1.186 + 	    literal[base++] = (uch)get_byte();
   1.187 + 	}
   1.188 +     }
   1.189 +@@ -182,7 +181,7 @@
   1.190 +     prefixp = &prefix_len[1<<peek_bits];
   1.191 +     for (len = 1; len <= peek_bits; len++) {
   1.192 + 	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
   1.193 +-	while (prefixes--) *--prefixp = (uch)len;
   1.194 ++	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
   1.195 +     }
   1.196 +     /* The length of all other codes is unknown: */
   1.197 +     while (prefixp > prefix_len) *--prefixp = 0;

Mercurial Repository: OpenPKG Specs

Europalab SCM Repository Server

mercurial