gzip/gzip.patch@e2558d4b246c
gzip/gzip.patch
Fri, 03 Aug 2012 16:56:40 +0200
- author
- Michael Schloh von Bennewitz <michael@schloh.com>
- date
- Fri, 03 Aug 2012 16:56:40 +0200
- changeset 467
- e2558d4b246c
- permissions
- -rw-r--r--
Correct mother header in the case of C++ cstdio definition.
1 Security Fix
3 Index: gzip.c
4 --- gzip.c.orig 2009-09-26 20:56:02 +0200
5 +++ gzip.c 2009-10-07 07:59:53 +0200
6 @@ -168,7 +168,7 @@
7 DECLARE(uch, inbuf, INBUFSIZ +INBUF_EXTRA);
8 DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);
9 DECLARE(ush, d_buf, DIST_BUFSIZE);
10 -DECLARE(uch, window, 2L*WSIZE);
11 +DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */
12 #ifndef MAXSEG_64K
13 DECLARE(ush, tab_prefix, 1L<<BITS);
14 #else
16 -----------------------------------------------------------------------------
18 Security Fixes
19 - OOB write (CVE-2006-4335)
20 - Buffer underflow (CVE-2006-4336)
21 - Buffer overflow (CVE-2006-4337)
22 - Infinite loop (CVE-2006-4338)
24 Index: gzip.h
25 --- gzip.h.orig 2009-09-26 20:43:28 +0200
26 +++ gzip.h 2009-10-07 07:59:53 +0200
27 @@ -223,6 +223,8 @@
28 extern int to_stdout; /* output to stdout (-c) */
29 extern int save_orig_name; /* set if original name must be saved */
31 +#define MIN(a,b) ((a) <= (b) ? (a) : (b))
32 +
33 #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
34 #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
36 Index: unlzh.c
37 --- unlzh.c.orig 2009-09-26 20:20:40 +0200
38 +++ unlzh.c 2009-10-07 07:59:53 +0200
39 @@ -141,12 +141,17 @@
40 unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
42 for (i = 1; i <= 16; i++) count[i] = 0;
43 - for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
44 + for (i = 0; i < (unsigned)nchar; i++) {
45 + if (bitlen[i] > 16)
46 + error("Bad table\n");
47 + else
48 + count[bitlen[i]]++;
49 + }
51 start[1] = 0;
52 for (i = 1; i <= 16; i++)
53 start[i + 1] = start[i] + (count[i] << (16 - i));
54 - if ((start[17] & 0xffff) != 0)
55 + if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
56 gzip_error ("Bad table\n");
58 jutbits = 16 - tablebits;
59 @@ -161,15 +166,15 @@
61 i = start[tablebits + 1] >> jutbits;
62 if (i != 0) {
63 - k = 1 << tablebits;
64 - while (i != k) table[i++] = 0;
65 + k = MIN(1 << tablebits, DIST_BUFSIZE);
66 + while (i < k) table[i++] = 0;
67 }
69 avail = nchar;
70 mask = (unsigned) 1 << (15 - tablebits);
71 for (ch = 0; ch < (unsigned)nchar; ch++) {
72 if ((len = bitlen[ch]) == 0) continue;
73 - nextcode = start[len] + weight[len];
74 + nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
75 if (len <= (unsigned)tablebits) {
76 if ((unsigned) 1 << tablebits < nextcode)
77 gzip_error ("Bad table\n");
78 @@ -212,7 +217,7 @@
79 for (i = 0; i < 256; i++) pt_table[i] = c;
80 } else {
81 i = 0;
82 - while (i < n) {
83 + while (i < MIN(n,NPT)) {
84 c = bitbuf >> (BITBUFSIZ - 3);
85 if (c == 7) {
86 mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
87 @@ -224,7 +229,7 @@
88 pt_len[i++] = c;
89 if (i == i_special) {
90 c = getbits(2);
91 - while (--c >= 0) pt_len[i++] = 0;
92 + while (--c >= 0 && i < NPT) pt_len[i++] = 0;
93 }
94 }
95 while (i < nn) pt_len[i++] = 0;
96 @@ -244,7 +249,7 @@
97 for (i = 0; i < 4096; i++) c_table[i] = c;
98 } else {
99 i = 0;
100 - while (i < n) {
101 + while (i < MIN(n,NC)) {
102 c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
103 if (c >= NT) {
104 mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
105 @@ -252,14 +257,14 @@
106 if (bitbuf & mask) c = right[c];
107 else c = left [c];
108 mask >>= 1;
109 - } while (c >= NT);
110 + } while (c >= NT && (mask || c != left[c]));
111 }
112 fillbuf((int) pt_len[c]);
113 if (c <= 2) {
114 if (c == 0) c = 1;
115 else if (c == 1) c = getbits(4) + 3;
116 else c = getbits(CBIT) + 20;
117 - while (--c >= 0) c_len[i++] = 0;
118 + while (--c >= 0 && i < NC) c_len[i++] = 0;
119 } else c_len[i++] = c - 2;
120 }
121 while (i < NC) c_len[i++] = 0;
122 @@ -288,7 +293,7 @@
123 if (bitbuf & mask) j = right[j];
124 else j = left [j];
125 mask >>= 1;
126 - } while (j >= NC);
127 + } while (j >= NC && (mask || j != left[j]));
128 }
129 fillbuf((int) c_len[j]);
130 return j;
131 @@ -305,7 +310,7 @@
132 if (bitbuf & mask) j = right[j];
133 else j = left [j];
134 mask >>= 1;
135 - } while (j >= NP);
136 + } while (j >= NP && (mask || j != left[j]));
137 }
138 fillbuf((int) pt_len[j]);
139 if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
140 @@ -352,7 +357,7 @@
141 while (--j >= 0) {
142 buffer[r] = buffer[i];
143 i = (i + 1) & (DICSIZ - 1);
144 - if (++r == count) return r;
145 + if (++r >= count) return r;
146 }
147 for ( ; ; ) {
148 c = decode_c();
149 @@ -362,14 +367,14 @@
150 }
151 if (c <= UCHAR_MAX) {
152 buffer[r] = c;
153 - if (++r == count) return r;
154 + if (++r >= count) return r;
155 } else {
156 j = c - (UCHAR_MAX + 1 - THRESHOLD);
157 i = (r - decode_p() - 1) & (DICSIZ - 1);
158 while (--j >= 0) {
159 buffer[r] = buffer[i];
160 i = (i + 1) & (DICSIZ - 1);
161 - if (++r == count) return r;
162 + if (++r >= count) return r;
163 }
164 }
165 }
166 Index: unpack.c
167 --- unpack.c.orig 2009-09-26 20:43:28 +0200
168 +++ unpack.c 2009-10-07 07:59:53 +0200
169 @@ -22,7 +22,6 @@
170 #include "gzip.h"
171 #include "crypt.h"
173 -#define MIN(a,b) ((a) <= (b) ? (a) : (b))
174 /* The arguments must not have side effects. */
176 #define MAX_BITLEN 25
177 @@ -146,7 +145,7 @@
178 /* Remember where the literals of this length start in literal[] : */
179 lit_base[len] = base;
180 /* And read the literals: */
181 - for (n = leaves[len]; n > 0; n--) {
182 + for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
183 literal[base++] = (uch)get_byte();
184 }
185 }
186 @@ -182,7 +181,7 @@
187 prefixp = &prefix_len[1<<peek_bits];
188 for (len = 1; len <= peek_bits; len++) {
189 int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
190 - while (prefixes--) *--prefixp = (uch)len;
191 + while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
192 }
193 /* The length of all other codes is unknown: */
194 while (prefixp > prefix_len) *--prefixp = 0;
