tree 22fa7055bb56c071d0ed242d8122b9429a418a6f parent cc54d1333e409f714aa9c7db63f7f9ed07cc57a9 author Tim Yamin <[EMAIL PROTECTED]> Tue, 26 Jul 2005 12:15:54 +0100 committer Marcelo Tosatti <[EMAIL PROTECTED]> Tue, 26 Jul 2005 18:47:36 -0300
The gzip description is as good as the ChangeLog says it is -: "Set n to length of v, to detect improper tables" and "Don't accidentally grow j past z". The return 2 instead of the return 0 is so that we actually error out if we also get inproper tables (for some reason the code returned "OK" in such cases). Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html b) http://bugs.gentoo.org/show_bug.cgi?id=94584 Signed-off-by: Tim Yamin <[EMAIL PROTECTED]> Signed-off-by: Tavis Ormandy <[EMAIL PROTECTED]> arch/ppc/boot/lib/zlib.c | 3 ++- arch/ppc64/boot/zlib.c | 3 ++- lib/inflate.c | 16 +++++++++------- lib/zlib_inflate/inftrees.c | 2 +- 4 files changed, 14 insertions(+), 10 deletions(-) diff --git a/arch/ppc/boot/lib/zlib.c b/arch/ppc/boot/lib/zlib.c --- a/arch/ppc/boot/lib/zlib.c +++ b/arch/ppc/boot/lib/zlib.c @@ -1278,7 +1278,7 @@ z_stream *zs; /* for zalloc fu { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_OK; + return Z_DATA_ERROR; } @@ -1322,6 +1322,7 @@ z_stream *zs; /* for zalloc fu if ((j = *p++) != 0) v[x[j]++] = i; } while (++i < n); + n = x[g]; /* set n to length of v */ /* Generate the Huffman codes and for each, make the table entries */ diff --git a/arch/ppc64/boot/zlib.c b/arch/ppc64/boot/zlib.c --- a/arch/ppc64/boot/zlib.c +++ b/arch/ppc64/boot/zlib.c @@ -1294,7 +1294,7 @@ z_stream *zs; /* for zalloc fu { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_OK; + return Z_DATA_ERROR; } @@ -1338,6 +1338,7 @@ z_stream *zs; /* for zalloc fu if ((j = *p++) != 0) v[x[j]++] = i; } while (++i < n); + n = x[g]; /* set n to length of v */ /* Generate the Huffman codes and for each, make the table entries */ diff --git a/lib/inflate.c b/lib/inflate.c --- a/lib/inflate.c +++ b/lib/inflate.c @@ -320,7 +320,7 @@ DEBG("huft1 "); { *t = (struct huft *)NULL; *m = 0; - return 0; + return 2; } DEBG("huft2 "); @@ -368,6 +368,7 @@ DEBG("huft5 "); if ((j = *p++) != 0) v[x[j]++] = i; } while (++i < n); + n = x[g]; /* set n to length of v */ DEBG("h6 "); @@ -404,12 +405,13 @@ DEBG1("1 "); DEBG1("2 "); f -= a + 1; /* deduct codes from patterns left */ xp = c + k; - while (++j < z) /* try smaller tables up to z bits */ - { - if ((f <<= 1) <= *++xp) - break; /* enough codes to use up j bits */ - f -= *xp; /* else deduct codes from patterns */ - } + if (j < z) + while (++j < z) /* try smaller tables up to z bits */ + { + if ((f <<= 1) <= *++xp) + break; /* enough codes to use up j bits */ + f -= *xp; /* else deduct codes from patterns */ + } } DEBG1("3 "); z = 1 << j; /* table entries for j-bit table */ diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c --- a/lib/zlib_inflate/inftrees.c +++ b/lib/zlib_inflate/inftrees.c @@ -140,7 +140,7 @@ uIntf *v; /* working area: { *t = (inflate_huft *)Z_NULL; *m = 0; - return Z_OK; + return Z_DATA_ERROR; } - To unsubscribe from this list: send the line "unsubscribe git-commits-24" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
