OpenPKG Specs / file revision

gzip/gzip.patch@3b08e6396b45

gzip/gzip.patch

Tue, 28 Aug 2012 18:28:45 +0200

author
Michael Schloh von Bennewitz <michael@schloh.com>
date
Tue, 28 Aug 2012 18:28:45 +0200
changeset 528
3b08e6396b45
permissions
-rw-r--r--

Massively update from 5.1 to 5.5 release, completely changing from
autotools to cmake build configuration along with the corresponding
corrections. Correct some less important problems like typical german
english mistakes, as well as use parallel make for faster builds with
SMP and multicore architectures. Warning, the 5.5 releases of MySQL
seem to be equally bug ridden as the 5.1 are, for example building
the NDBCluster storage engine fails.

     1 Security Fix

     2 

     3 Index: gzip.c

     4 --- gzip.c.orig	2009-09-26 20:56:02 +0200

     5 +++ gzip.c	2009-10-07 07:59:53 +0200

     6 @@ -168,7 +168,7 @@

     7  DECLARE(uch, inbuf,  INBUFSIZ +INBUF_EXTRA);

     8  DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);

     9  DECLARE(ush, d_buf,  DIST_BUFSIZE);

    10 -DECLARE(uch, window, 2L*WSIZE);

    11 +DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */

    12  #ifndef MAXSEG_64K

    13      DECLARE(ush, tab_prefix, 1L<<BITS);

    14  #else

    15 

    16 -----------------------------------------------------------------------------

    17 

    18 Security Fixes 

    19 - OOB write        (CVE-2006-4335)

    20 - Buffer underflow (CVE-2006-4336)

    21 - Buffer overflow  (CVE-2006-4337)

    22 - Infinite loop    (CVE-2006-4338)

    23 

    24 Index: gzip.h

    25 --- gzip.h.orig	2009-09-26 20:43:28 +0200

    26 +++ gzip.h	2009-10-07 07:59:53 +0200

    27 @@ -223,6 +223,8 @@

    28  extern int to_stdout;      /* output to stdout (-c) */

    29  extern int save_orig_name; /* set if original name must be saved */

    30  

    31 +#define MIN(a,b) ((a) <= (b) ? (a) : (b))

    32 +

    33  #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))

    34  #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))

    35  

    36 Index: unlzh.c

    37 --- unlzh.c.orig	2009-09-26 20:20:40 +0200

    38 +++ unlzh.c	2009-10-07 07:59:53 +0200

    39 @@ -141,12 +141,17 @@

    40      unsigned i, k, len, ch, jutbits, avail, nextcode, mask;

    41  

    42      for (i = 1; i <= 16; i++) count[i] = 0;

    43 -    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;

    44 +    for (i = 0; i < (unsigned)nchar; i++) {

    45 +        if (bitlen[i] > 16)

    46 +            error("Bad table\n");

    47 +        else

    48 +            count[bitlen[i]]++;

    49 +    }

    50  

    51      start[1] = 0;

    52      for (i = 1; i <= 16; i++)

    53  	start[i + 1] = start[i] + (count[i] << (16 - i));

    54 -    if ((start[17] & 0xffff) != 0)

    55 +    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */

    56        gzip_error ("Bad table\n");

    57  

    58      jutbits = 16 - tablebits;

    59 @@ -161,15 +166,15 @@

    60  

    61      i = start[tablebits + 1] >> jutbits;

    62      if (i != 0) {

    63 -	k = 1 << tablebits;

    64 -	while (i != k) table[i++] = 0;

    65 +	k = MIN(1 << tablebits, DIST_BUFSIZE);

    66 +	while (i < k) table[i++] = 0;

    67      }

    68  

    69      avail = nchar;

    70      mask = (unsigned) 1 << (15 - tablebits);

    71      for (ch = 0; ch < (unsigned)nchar; ch++) {

    72  	if ((len = bitlen[ch]) == 0) continue;

    73 -	nextcode = start[len] + weight[len];

    74 +	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);

    75  	if (len <= (unsigned)tablebits) {

    76  	    if ((unsigned) 1 << tablebits < nextcode)

    77  	      gzip_error ("Bad table\n");

    78 @@ -212,7 +217,7 @@

    79  	for (i = 0; i < 256; i++) pt_table[i] = c;

    80      } else {

    81  	i = 0;

    82 -	while (i < n) {

    83 +	while (i < MIN(n,NPT)) {

    84  	    c = bitbuf >> (BITBUFSIZ - 3);

    85  	    if (c == 7) {

    86  		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);

    87 @@ -224,7 +229,7 @@

    88  	    pt_len[i++] = c;

    89  	    if (i == i_special) {

    90  		c = getbits(2);

    91 -		while (--c >= 0) pt_len[i++] = 0;

    92 +		while (--c >= 0 && i < NPT) pt_len[i++] = 0;

    93  	    }

    94  	}

    95  	while (i < nn) pt_len[i++] = 0;

    96 @@ -244,7 +249,7 @@

    97  	for (i = 0; i < 4096; i++) c_table[i] = c;

    98      } else {

    99  	i = 0;

   100 -	while (i < n) {

   101 +	while (i < MIN(n,NC)) {

   102  	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];

   103  	    if (c >= NT) {

   104  		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);

   105 @@ -252,14 +257,14 @@

   106  		    if (bitbuf & mask) c = right[c];

   107  		    else               c = left [c];

   108  		    mask >>= 1;

   109 -		} while (c >= NT);

   110 +		} while (c >= NT && (mask || c != left[c]));

   111  	    }

   112  	    fillbuf((int) pt_len[c]);

   113  	    if (c <= 2) {

   114  		if      (c == 0) c = 1;

   115  		else if (c == 1) c = getbits(4) + 3;

   116  		else             c = getbits(CBIT) + 20;

   117 -		while (--c >= 0) c_len[i++] = 0;

   118 +		while (--c >= 0 && i < NC) c_len[i++] = 0;

   119  	    } else c_len[i++] = c - 2;

   120  	}

   121  	while (i < NC) c_len[i++] = 0;

   122 @@ -288,7 +293,7 @@

   123  	    if (bitbuf & mask) j = right[j];

   124  	    else               j = left [j];

   125  	    mask >>= 1;

   126 -	} while (j >= NC);

   127 +	} while (j >= NC && (mask || j != left[j]));

   128      }

   129      fillbuf((int) c_len[j]);

   130      return j;

   131 @@ -305,7 +310,7 @@

   132  	    if (bitbuf & mask) j = right[j];

   133  	    else               j = left [j];

   134  	    mask >>= 1;

   135 -	} while (j >= NP);

   136 +	} while (j >= NP && (mask || j != left[j]));

   137      }

   138      fillbuf((int) pt_len[j]);

   139      if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));

   140 @@ -352,7 +357,7 @@

   141      while (--j >= 0) {

   142  	buffer[r] = buffer[i];

   143  	i = (i + 1) & (DICSIZ - 1);

   144 -	if (++r == count) return r;

   145 +	if (++r >= count) return r;

   146      }

   147      for ( ; ; ) {

   148  	c = decode_c();

   149 @@ -362,14 +367,14 @@

   150  	}

   151  	if (c <= UCHAR_MAX) {

   152  	    buffer[r] = c;

   153 -	    if (++r == count) return r;

   154 +	    if (++r >= count) return r;

   155  	} else {

   156  	    j = c - (UCHAR_MAX + 1 - THRESHOLD);

   157  	    i = (r - decode_p() - 1) & (DICSIZ - 1);

   158  	    while (--j >= 0) {

   159  		buffer[r] = buffer[i];

   160  		i = (i + 1) & (DICSIZ - 1);

   161 -		if (++r == count) return r;

   162 +		if (++r >= count) return r;

   163  	    }

   164  	}

   165      }

   166 Index: unpack.c

   167 --- unpack.c.orig	2009-09-26 20:43:28 +0200

   168 +++ unpack.c	2009-10-07 07:59:53 +0200

   169 @@ -22,7 +22,6 @@

   170  #include "gzip.h"

   171  #include "crypt.h"

   172  

   173 -#define MIN(a,b) ((a) <= (b) ? (a) : (b))

   174  /* The arguments must not have side effects. */

   175  

   176  #define MAX_BITLEN 25

   177 @@ -146,7 +145,7 @@

   178  	/* Remember where the literals of this length start in literal[] : */

   179  	lit_base[len] = base;

   180  	/* And read the literals: */

   181 -	for (n = leaves[len]; n > 0; n--) {

   182 +	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {

   183  	    literal[base++] = (uch)get_byte();

   184  	}

   185      }

   186 @@ -182,7 +181,7 @@

   187      prefixp = &prefix_len[1<<peek_bits];

   188      for (len = 1; len <= peek_bits; len++) {

   189  	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */

   190 -	while (prefixes--) *--prefixp = (uch)len;

   191 +	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;

   192      }

   193      /* The length of all other codes is unknown: */

   194      while (prefixp > prefix_len) *--prefixp = 0;

Mercurial Repository: OpenPKG Specs

Europalab SCM Repository Server

mercurial