[people/amarx/ipfire-3.x.git] / gzip / patches / gzip-1.3.13-cve-2006-4337.patch

--- gzip-1.3.9/unlzh.c.4337	2007-01-15 16:31:53.000000000 +0100
+++ gzip-1.3.9/unlzh.c	2007-01-15 16:38:08.000000000 +0100
@@ -146,8 +146,8 @@
     start[1] = 0;
     for (i = 1; i <= 16; i++)
         start[i + 1] = start[i] + (count[i] << (16 - i));
-    if ((start[17] & 0xffff) != 0)
-      gzip_error ("Bad table\n");
+   if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
+      gzip_error ("Bad table (case b)\n"); 
 
     jutbits = 16 - tablebits;
     for (i = 1; i <= (unsigned)tablebits; i++) {
@@ -161,15 +162,15 @@
 
     i = start[tablebits + 1] >> jutbits;
     if (i != 0) {
-        k = 1 << tablebits;
-        while (i != k) table[i++] = 0;
+        k = MIN(1 << tablebits, DIST_BUFSIZE);
+        while (i < k) table[i++] = 0;
     }
 
     avail = nchar;
     mask = (unsigned) 1 << (15 - tablebits);
     for (ch = 0; ch < (unsigned)nchar; ch++) {
         if ((len = bitlen[ch]) == 0) continue;
-        nextcode = start[len] + weight[len];
+        nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
         if (len <= (unsigned)tablebits) {
             if ((unsigned) 1 << tablebits < nextcode)
               gzip_error ("Bad table\n");
@@ -212,7 +213,7 @@
         for (i = 0; i < 256; i++) pt_table[i] = c;
     } else {
         i = 0;
-        while (i < n) {
+        while (i < MIN(n,NPT)) {
             c = bitbuf >> (BITBUFSIZ - 3);
             if (c == 7) {
                 mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -224,7 +225,7 @@
             pt_len[i++] = c;
             if (i == i_special) {
                 c = getbits(2);
-                while (--c >= 0) pt_len[i++] = 0;
+                while (--c >= 0 && i < NPT) pt_len[i++] = 0; 
             }
         }
         while (i < nn) pt_len[i++] = 0;
@@ -244,7 +245,7 @@
         for (i = 0; i < 4096; i++) c_table[i] = c;
     } else {
         i = 0;
-        while (i < n) {
+        while (i < MIN(n,NC)) { 
             c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
             if (c >= NT) {
                 mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -259,7 +260,7 @@
                 if      (c == 0) c = 1;
                 else if (c == 1) c = getbits(4) + 3;
                 else             c = getbits(CBIT) + 20;
-                while (--c >= 0) c_len[i++] = 0;
+                while (--c >= 0 && i < NC) c_len[i++] = 0; 
             } else c_len[i++] = c - 2;
         }
         while (i < NC) c_len[i++] = 0;
@@ -352,7 +353,7 @@
     while (--j >= 0) {
         buffer[r] = buffer[i];
         i = (i + 1) & (DICSIZ - 1);
-        if (++r == count) return r;
+        if (++r >= count) return r;
     }
     for ( ; ; ) {
         c = decode_c();
@@ -362,14 +363,14 @@
         }
         if (c <= UCHAR_MAX) {
             buffer[r] = c;
-            if (++r == count) return r;
+            if (++r >= count) return r;
         } else {
             j = c - (UCHAR_MAX + 1 - THRESHOLD);
             i = (r - decode_p() - 1) & (DICSIZ - 1);
             while (--j >= 0) {
                 buffer[r] = buffer[i];
                 i = (i + 1) & (DICSIZ - 1);
-                if (++r == count) return r;
+                if (++r >= count) return r;
             }
         }
     }
--- gzip-1.3.9/gzip.h.4337	2007-01-15 16:31:53.000000000 +0100
+++ gzip-1.3.9/gzip.h	2007-01-15 16:38:52.000000000 +0100
@@ -224,6 +224,8 @@
 #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
 #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 
+#define MIN(a,b) ((a) <= (b) ? (a) : (b)) 
+
 /* put_byte is used for the compressed output, put_ubyte for the
  * uncompressed output. However unlzw() uses window for its
  * suffix table instead of its output buffer, so it does not use put_ubyte
--- gzip-1.3.9/unpack.c.4337	2007-01-15 16:31:53.000000000 +0100
+++ gzip-1.3.9/unpack.c	2007-01-15 16:39:12.000000000 +0100
@@ -21,9 +21,6 @@
 #include "tailor.h"
 #include "gzip.h"
 
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
-/* The arguments must not have side effects. */
-
 #define MAX_BITLEN 25
 /* Maximum length of Huffman codes. (Minor modifications to the code
  * would be needed to support 32 bits codes, but pack never generates
Commit	Line	Data
d8f72415 SS	1	--- gzip-1.3.9/unlzh.c.4337 2007-01-15 16:31:53.000000000 +0100
	2	+++ gzip-1.3.9/unlzh.c 2007-01-15 16:38:08.000000000 +0100
	3	@@ -146,8 +146,8 @@
	4	start[1] = 0;
	5	for (i = 1; i <= 16; i++)
	6	start[i + 1] = start[i] + (count[i] << (16 - i));
	7	- if ((start[17] & 0xffff) != 0)
	8	- gzip_error ("Bad table\n");
	9	+ if ((start[17] & 0xffff) != 0 \|\| tablebits > 16) /* 16 for weight below */
	10	+ gzip_error ("Bad table (case b)\n");
	11
	12	jutbits = 16 - tablebits;
	13	for (i = 1; i <= (unsigned)tablebits; i++) {
	14	@@ -161,15 +162,15 @@
	15
	16	i = start[tablebits + 1] >> jutbits;
	17	if (i != 0) {
	18	- k = 1 << tablebits;
	19	- while (i != k) table[i++] = 0;
	20	+ k = MIN(1 << tablebits, DIST_BUFSIZE);
	21	+ while (i < k) table[i++] = 0;
	22	}
	23
	24	avail = nchar;
	25	mask = (unsigned) 1 << (15 - tablebits);
	26	for (ch = 0; ch < (unsigned)nchar; ch++) {
	27	if ((len = bitlen[ch]) == 0) continue;
	28	- nextcode = start[len] + weight[len];
	29	+ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
	30	if (len <= (unsigned)tablebits) {
	31	if ((unsigned) 1 << tablebits < nextcode)
	32	gzip_error ("Bad table\n");
	33	@@ -212,7 +213,7 @@
	34	for (i = 0; i < 256; i++) pt_table[i] = c;
	35	} else {
	36	i = 0;
	37	- while (i < n) {
	38	+ while (i < MIN(n,NPT)) {
	39	c = bitbuf >> (BITBUFSIZ - 3);
	40	if (c == 7) {
	41	mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
	42	@@ -224,7 +225,7 @@
	43	pt_len[i++] = c;
	44	if (i == i_special) {
	45	c = getbits(2);
	46	- while (--c >= 0) pt_len[i++] = 0;
	47	+ while (--c >= 0 && i < NPT) pt_len[i++] = 0;
	48	}
	49	}
	50	while (i < nn) pt_len[i++] = 0;
	51	@@ -244,7 +245,7 @@
	52	for (i = 0; i < 4096; i++) c_table[i] = c;
	53	} else {
	54	i = 0;
	55	- while (i < n) {
	56	+ while (i < MIN(n,NC)) {
	57	c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
	58	if (c >= NT) {
	59	mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
	60	@@ -259,7 +260,7 @@
	61	if (c == 0) c = 1;
	62	else if (c == 1) c = getbits(4) + 3;
	63	else c = getbits(CBIT) + 20;
	64	- while (--c >= 0) c_len[i++] = 0;
65	+ while (--c >= 0 && i < NC) c_len[i++] = 0;
66	} else c_len[i++] = c - 2;
67	}
68	while (i < NC) c_len[i++] = 0;
69	@@ -352,7 +353,7 @@
70	while (--j >= 0) {
71	buffer[r] = buffer[i];
72	i = (i + 1) & (DICSIZ - 1);
73	- if (++r == count) return r;
74	+ if (++r >= count) return r;
75	}
76	for ( ; ; ) {
77	c = decode_c();
78	@@ -362,14 +363,14 @@
79	}
80	if (c <= UCHAR_MAX) {
81	buffer[r] = c;
82	- if (++r == count) return r;
83	+ if (++r >= count) return r;
84	} else {
85	j = c - (UCHAR_MAX + 1 - THRESHOLD);
86	i = (r - decode_p() - 1) & (DICSIZ - 1);
87	while (--j >= 0) {
88	buffer[r] = buffer[i];
89	i = (i + 1) & (DICSIZ - 1);
90	- if (++r == count) return r;
91	+ if (++r >= count) return r;
92	}
93	}
94	}
95	--- gzip-1.3.9/gzip.h.4337 2007-01-15 16:31:53.000000000 +0100
96	+++ gzip-1.3.9/gzip.h 2007-01-15 16:38:52.000000000 +0100
97	@@ -224,6 +224,8 @@
98	#define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
99	#define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
100
101	+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
102	+
103	/* put_byte is used for the compressed output, put_ubyte for the
104	* uncompressed output. However unlzw() uses window for its
105	* suffix table instead of its output buffer, so it does not use put_ubyte
106	--- gzip-1.3.9/unpack.c.4337 2007-01-15 16:31:53.000000000 +0100
107	+++ gzip-1.3.9/unpack.c 2007-01-15 16:39:12.000000000 +0100
108	@@ -21,9 +21,6 @@
109	#include "tailor.h"
110	#include "gzip.h"
111
112	-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
113	-/* The arguments must not have side effects. */
114	-
115	#define MAX_BITLEN 25
116	/* Maximum length of Huffman codes. (Minor modifications to the code
117	* would be needed to support 32 bits codes, but pack never generates
118