gzip/patches/gzip-1.3.13-cve-2006-4337.patch

   1 --- gzip-1.3.9/unlzh.c.4337     2007-01-15 16:31:53.000000000 +0100
   2 +++ gzip-1.3.9/unlzh.c  2007-01-15 16:38:08.000000000 +0100
   3 @@ -146,8 +146,8 @@
   4      start[1] = 0;
   5      for (i = 1; i <= 16; i++)
   6          start[i + 1] = start[i] + (count[i] << (16 - i));
   7 -    if ((start[17] & 0xffff) != 0)
   8 -      gzip_error ("Bad table\n");
   9 +   if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
  10 +      gzip_error ("Bad table (case b)\n");
  11
  12      jutbits = 16 - tablebits;
  13      for (i = 1; i <= (unsigned)tablebits; i++) {
  14 @@ -161,15 +162,15 @@
  15
  16      i = start[tablebits + 1] >> jutbits;
  17      if (i != 0) {
  18 -        k = 1 << tablebits;
  19 -        while (i != k) table[i++] = 0;
  20 +        k = MIN(1 << tablebits, DIST_BUFSIZE);
  21 +        while (i < k) table[i++] = 0;
  22      }
  23
  24      avail = nchar;
  25      mask = (unsigned) 1 << (15 - tablebits);
  26      for (ch = 0; ch < (unsigned)nchar; ch++) {
  27          if ((len = bitlen[ch]) == 0) continue;
  28 -        nextcode = start[len] + weight[len];
  29 +        nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
  30          if (len <= (unsigned)tablebits) {
  31              if ((unsigned) 1 << tablebits < nextcode)
  32                gzip_error ("Bad table\n");
  33 @@ -212,7 +213,7 @@
  34          for (i = 0; i < 256; i++) pt_table[i] = c;
  35      } else {
  36          i = 0;
  37 -        while (i < n) {
  38 +        while (i < MIN(n,NPT)) {
  39              c = bitbuf >> (BITBUFSIZ - 3);
  40              if (c == 7) {
  41                  mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
  42 @@ -224,7 +225,7 @@
  43              pt_len[i++] = c;
  44              if (i == i_special) {
  45                  c = getbits(2);
  46 -                while (--c >= 0) pt_len[i++] = 0;
  47 +                while (--c >= 0 && i < NPT) pt_len[i++] = 0;
  48              }
  49          }
  50          while (i < nn) pt_len[i++] = 0;
  51 @@ -244,7 +245,7 @@
  52          for (i = 0; i < 4096; i++) c_table[i] = c;
  53      } else {
  54          i = 0;
  55 -        while (i < n) {
  56 +        while (i < MIN(n,NC)) {
  57              c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
  58              if (c >= NT) {
  59                  mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
  60 @@ -259,7 +260,7 @@
  61                  if      (c == 0) c = 1;
  62                  else if (c == 1) c = getbits(4) + 3;
  63                  else             c = getbits(CBIT) + 20;
  64 -                while (--c >= 0) c_len[i++] = 0;
  65 +                while (--c >= 0 && i < NC) c_len[i++] = 0;
  66              } else c_len[i++] = c - 2;
  67          }
  68          while (i < NC) c_len[i++] = 0;
  69 @@ -352,7 +353,7 @@
  70      while (--j >= 0) {
  71          buffer[r] = buffer[i];
  72          i = (i + 1) & (DICSIZ - 1);
  73 -        if (++r == count) return r;
  74 +        if (++r >= count) return r;
  75      }
  76      for ( ; ; ) {
  77          c = decode_c();
  78 @@ -362,14 +363,14 @@
  79          }
  80          if (c <= UCHAR_MAX) {
  81              buffer[r] = c;
  82 -            if (++r == count) return r;
  83 +            if (++r >= count) return r;
  84          } else {
  85              j = c - (UCHAR_MAX + 1 - THRESHOLD);
  86              i = (r - decode_p() - 1) & (DICSIZ - 1);
  87              while (--j >= 0) {
  88                  buffer[r] = buffer[i];
  89                  i = (i + 1) & (DICSIZ - 1);
  90 -                if (++r == count) return r;
  91 +                if (++r >= count) return r;
  92              }
  93          }
  94      }
  95 --- gzip-1.3.9/gzip.h.4337      2007-01-15 16:31:53.000000000 +0100
  96 +++ gzip-1.3.9/gzip.h   2007-01-15 16:38:52.000000000 +0100
  97 @@ -224,6 +224,8 @@
  98  #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
  99  #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 100
 101 +#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 102 +
 103  /* put_byte is used for the compressed output, put_ubyte for the
 104   * uncompressed output. However unlzw() uses window for its
 105   * suffix table instead of its output buffer, so it does not use put_ubyte
 106 --- gzip-1.3.9/unpack.c.4337    2007-01-15 16:31:53.000000000 +0100
 107 +++ gzip-1.3.9/unpack.c 2007-01-15 16:39:12.000000000 +0100
 108 @@ -21,9 +21,6 @@
 109  #include "tailor.h"
 110  #include "gzip.h"
 111
 112 -#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 113 -/* The arguments must not have side effects. */
 114 -
 115  #define MAX_BITLEN 25
 116  /* Maximum length of Huffman codes. (Minor modifications to the code
 117   * would be needed to support 32 bits codes, but pack never generates
 118