From: Mark Adler <madler@alumni.caltech.edu>
Date: Mon, 21 Jan 2013 18:15:51 +0000 (-0800)
Subject: Check for invalid code length codes in contrib/puff.
X-Git-Tag: v1.2.7.1~26
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=10056909c00bca2684340856ce20272f3fd8fa43;p=thirdparty%2Fzlib-ng.git

Check for invalid code length codes in contrib/puff.

Without this fix, it would be possible to construct inputs to puff
that would cause it to segfault.
---

diff --git a/contrib/puff/puff.c b/contrib/puff/puff.c
index df8470c93..ba58483d5 100644
--- a/contrib/puff/puff.c
+++ b/contrib/puff/puff.c
@@ -1,8 +1,8 @@
 /*
  * puff.c
- * Copyright (C) 2002-2010 Mark Adler
+ * Copyright (C) 2002-2013 Mark Adler
  * For conditions of distribution and use, see copyright notice in puff.h
- * version 2.2, 25 Apr 2010
+ * version 2.3, 21 Jan 2013
  *
  * puff.c is a simple inflate written to be an unambiguous way to specify the
  * deflate format.  It is not written for speed but rather simplicity.  As a
@@ -76,6 +76,7 @@
  *                      - Move NIL to puff.h
  *                      - Allow incomplete code only if single code length is 1
  *                      - Add full code coverage test to Makefile
+ * 2.3  21 Jan 2013     - Check for invalid code length codes in dynamic blocks
  */
 
 #include <setjmp.h>             /* for setjmp(), longjmp(), and jmp_buf */
@@ -704,6 +705,8 @@ local int dynamic(struct state *s)
         int len;                /* last length to repeat */
 
         symbol = decode(s, &lencode);
+        if (symbol < 0)
+            return symbol;          /* invalid symbol */
         if (symbol < 16)                /* length in 0..15 */
             lengths[index++] = symbol;
         else {                          /* repeat instruction */
diff --git a/contrib/puff/puff.h b/contrib/puff/puff.h
index 6a0080ae1..e23a24543 100644
--- a/contrib/puff/puff.h
+++ b/contrib/puff/puff.h
@@ -1,6 +1,6 @@
 /* puff.h
-  Copyright (C) 2002-2010 Mark Adler, all rights reserved
-  version 2.2, 25 Apr 2010
+  Copyright (C) 2002-2013 Mark Adler, all rights reserved
+  version 2.3, 21 Jan 2013
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the author be held liable for any damages
diff --git a/contrib/puff/pufftest.c b/contrib/puff/pufftest.c
index 76e35f66b..776481488 100644
--- a/contrib/puff/pufftest.c
+++ b/contrib/puff/pufftest.c
@@ -1,8 +1,8 @@
 /*
  * pufftest.c
- * Copyright (C) 2002-2010 Mark Adler
+ * Copyright (C) 2002-2013 Mark Adler
  * For conditions of distribution and use, see copyright notice in puff.h
- * version 2.2, 25 Apr 2010
+ * version 2.3, 21 Jan 2013
  */
 
 /* Example of how to use puff().