94584 2005-05-31 00:01 0000 app-arch/gzip: crash on bad input 2005-09-01 09:20:59 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED http://dev.gentoo.org/~taviso/files/gzip-crash.gz P2 trivial --- 1 taviso@gentoo.org base-system@gentoo.org taviso@gentoo.org 2005-05-31 00:01:57 0000 A QA test uncovered an input data stream that crashes gzip -d, there's a testcase in the URL field. Upstream informed, but no response yet. Perhaps huft_build() should be returning non-zero around line 340 of inflate.c? At the moment it causes a NULL deref: ... 336 if (c[0] == n) /* null input--all zero length codes */ 337 { 338 *t = (struct huft *)NULL; 339 *m = 0; 340 return 0; 341 } ... vapier@gentoo.org 2005-07-02 06:44:09 0000 the comment just about huft_build() says: /* Given a list of code lengths and a maximum table size, make a set of tables to decode that set of codes. Return zero on success, one if the given code set is incomplete (the tables are still built in this case), two if the input is invalid (all zero length codes or an oversubscribed set of lengths), and three if not enough memory. */ the case you're looking at is for 'all zero length codes' which means it should return 2 instead of 0 ... that does fix the crash so i've added gzip-1.3.5-r8 with the fix vapier@gentoo.org 2005-07-02 07:44:16 0000 forgot to close ... ssjoholm@aha.com 2005-09-01 09:20:58 0000 Created an attachment (id=67422) Gzip file which cannot be decompressed after applying the patch The patch causes gzip -d to return "gzip: stdin: invalid compressed data--format violated" when decompressing dynamic huffman encoded files which don't have any matches, such as the one I am attaching. When there are no matches, then the distance huffman tree will have all zero length entries and huft_build() will return 2, even though this is valid according to the gzip spec, RFC1951. Without the patch the file decompresses correctly. I am working on finding a fix for both problems now. 67422 2005-09-01 09:20 0000 Gzip file which cannot be decompressed after applying the patch one.gz application/x-tar H4sIAAAAAAAAAwXAgQgAAAAAILb9pU6LntnTAQAAAA==