[Cooker] zlib in cooker

Wed, 13 Mar 2002 08:10:46 -0800 

 Ok, here's the dealio (don't know if internal knows, so apologies if
this is known):
zlib in cooker is patched to fix the double free() sec bug...
However, this patch has not fixed (at least from my end) the problem...
First of all, never count on WUIs for up-to-date info!
To the point:
$ bzcat ../SOURCES/zlib-1.1.3-zfree.patch.bz2
diff -ruN zlib-1.1.3.orig/infblock.c zlib-1.1.3/infblock.c
--- zlib-1.1.3.orig/infblock.c  Mon Jun  8 19:06:16 1998
+++ zlib-1.1.3/infblock.c       Thu Feb  7 11:41:57 2002
@@ -249,10 +249,11 @@
                              &s->sub.trees.tb, s->hufts, z);
       if (t != Z_OK)
       {
-        ZFREE(z, s->sub.trees.blens);
         r = t;
-        if (r == Z_DATA_ERROR)
+        if (r == Z_DATA_ERROR) {
+         ZFREE(z, s->sub.trees.blens);
           s->mode = BAD;
+       }
         LEAVE
       }
       s->sub.trees.index = 0;
@@ -313,11 +314,12 @@
         t = inflate_trees_dynamic(257 + (t & 0x1f), 1 + ((t >> 5) &
0x1f),
                                   s->sub.trees.blens, &bl, &bd, &tl,
&td,
                                   s->hufts, z);
-        ZFREE(z, s->sub.trees.blens);
         if (t != Z_OK)
         {
-          if (t == (uInt)Z_DATA_ERROR)
+          if (t == (uInt)Z_DATA_ERROR) {
+           ZFREE(z, s->sub.trees.blens);
             s->mode = BAD;
+         }
           r = t;
           LEAVE
         }
@@ -329,6 +331,7 @@
         }
         s->sub.decode.codes = c;
       }
+      ZFREE(z, s->sub.trees.blens);
       s->mode = CODES;
     case CODES:
       UPDATE
$
Patch is there, has been for a while... (since Feb FYI).
However, as stated above the patch does not fix (REPEAT: This is from my
end, my system) the hole:
$ rpm -q zlib1
zlib1-1.1.3-19mdk
$ cat 2free.c
#include <stdio.h>
       #include <stdlib.h>

       int main(int argc, char* argv[]) {
           void* foo = malloc(16);
           free(foo);
           free(foo);
           printf("Program ran to completion.\n");
       }
$  export MALLOC_CHECK=2 && gcc -o 2free 2free.c && ./2free
Segmentation fault (core dumped)
$ 

So, that is the "dealio" : )

Tashi Delek : )

-- 
Bryan Paxton
Public PGP key: http://www.deadhorse.net/bpaxton.gpg

Trying, the volition devoid of action, this is idleness. 
Doing, the volition replete in motion, a process.
Being that all things are impermanent, this process is constant.
If one realizes such, the process is in all actuality, one step.
A motion that can not be reversed, but may be halted.
Both ways does this sway.

Reply via email to