Bug#567156: inflate.c: avoid referencing uninitialized heap

Wed, 27 Jan 2010 10:12:11 -0800 

Package: zlib1g
Version: 1:1.2.3.4.dfsg-3
Severity: normal
Tags: patch

Here's a patch to avoid referencing uninitialized heap while
inflating the relatively unusual input that caused gzip-prior-to-1.4
to misbehave:

--- inflate.c.orig      2010-01-27 12:00:02.992726753 +0100
+++ inflate.c   2010-01-27 12:00:26.388602165 +0100
@@ -154,7 +154,7 @@ int windowBits;
     /* set number of window bits, free window if different */
     if (windowBits < 8 || windowBits > 15)
         return Z_STREAM_ERROR;
-    if (state->wbits != windowBits && state->window != Z_NULL) {
+    if (state->window != Z_NULL && state->wbits != windowBits) {
         ZFREE(strm, state->window);
         state->window = Z_NULL;
     }

At that point, state->window is initialized, but state->wbits is not.
Without that patch, valgrind complains on this input:

    $ printf '\037\235\220\0\0\0\304' > in.Z
    $ valgrind ./minigzip -d < in.Z > /dev/null
    ...
    Conditional jump or move depends on uninitialised value(s)
       at 0x40B979: inflateReset2 (inflate.c:157)
       by 0x40BAC7: inflateInit2_ (inflate.c:193)
       by 0x40195E: gz_open (gzio.c:186)
       by 0x401BDF: gzdopen (gzio.c:256)
       by 0x4014B1: main (minigzip.c:304)
    ...


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'stable'), (400, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-1-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968) (ignored: LC_ALL set to C)
Shell: /bin/sh linked to /bin/bash

Versions of packages zlib1g depends on:
ii  libc6                         2.10.2-5   Embedded GNU C Library: Shared lib

zlib1g recommends no packages.

zlib1g suggests no packages.

-- no debconf information

--- inflate.c.orig	2010-01-27 12:00:26.388602165 +0100
+++ inflate.c	2010-01-27 12:00:02.992726753 +0100
@@ -154,7 +154,7 @@ int windowBits;
     /* set number of window bits, free window if different */
     if (windowBits < 8 || windowBits > 15)
         return Z_STREAM_ERROR;
-    if (state->window != Z_NULL && state->wbits != windowBits) {
+    if (state->wbits != windowBits && state->window != Z_NULL) {
         ZFREE(strm, state->window);
         state->window = Z_NULL;
     }

Reply via email to