From: Tim Yamin <plasmaroo@gentoo.org>
Fix outstanding security bugs in the Linux zlib implementations. See:
a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584
Signed-off-by: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Tavis Ormandy <taviso@gentoo.org>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---
lib/inflate.c | 16 +++++++++-------
lib/zlib_inflate/inftrees.c | 2 +-
2 files changed, 10 insertions(+), 8 deletions(-)
diff -puN lib/inflate.c~fix-outstanding-gzip-zlib-security-issues lib/inflate.c
--- devel/lib/inflate.c~fix-outstanding-gzip-zlib-security-issues 2005-07-26 00:05:48.000000000 -0700
+++ devel-akpm/lib/inflate.c 2005-07-26 00:05:48.000000000 -0700
@@ -326,7 +326,7 @@ DEBG("huft1 ");
{
*t = (struct huft *)NULL;
*m = 0;
- return 0;
+ return 2;
}
DEBG("huft2 ");
@@ -374,6 +374,7 @@ DEBG("huft5 ");
if ((j = *p++) != 0)
v[x[j]++] = i;
} while (++i < n);
+ n = x[g]; /* set n to length of v */
DEBG("h6 ");
@@ -410,12 +411,13 @@ DEBG1("1 ");
DEBG1("2 ");
f -= a + 1; /* deduct codes from patterns left */
xp = c + k;
- while (++j < z) /* try smaller tables up to z bits */
- {
- if ((f <<= 1) <= *++xp)
- break; /* enough codes to use up j bits */
- f -= *xp; /* else deduct codes from patterns */
- }
+ if (j < z)
+ while (++j < z) /* try smaller tables up to z bits */
+ {
+ if ((f <<= 1) <= *++xp)
+ break; /* enough codes to use up j bits */
+ f -= *xp; /* else deduct codes from patterns */
+ }
}
DEBG1("3 ");
z = 1 << j; /* table entries for j-bit table */
diff -puN lib/zlib_inflate/inftrees.c~fix-outstanding-gzip-zlib-security-issues lib/zlib_inflate/inftrees.c
--- devel/lib/zlib_inflate/inftrees.c~fix-outstanding-gzip-zlib-security-issues 2005-07-26 00:05:48.000000000 -0700
+++ devel-akpm/lib/zlib_inflate/inftrees.c 2005-07-26 00:05:48.000000000 -0700
@@ -141,7 +141,7 @@ static int huft_build(
{
*t = NULL;
*m = 0;
- return Z_OK;
+ return Z_DATA_ERROR;
}
_