Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 95405 Details for
Bug 145511
app-arch/gzip Multiple issues (CVE-2006-433{4-8})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
gzip-1.3.5-goo-sec.diff
gzip-1.3.5-goo-sec.diff (text/plain), 5.59 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-08-29 12:14:51 UTC
(
hide
)
Description:
gzip-1.3.5-goo-sec.diff
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-08-29 12:14:51 UTC
Size:
5.59 KB
patch
obsolete
>Only in gzip-1.3.5: cscope.out >diff -ru gzip-1.3.5.orig/gzip.h gzip-1.3.5/gzip.h >--- gzip-1.3.5.orig/gzip.h 2001-10-01 07:53:41.000000000 +0100 >+++ gzip-1.3.5/gzip.h 2006-08-18 22:44:38.755598000 +0100 >@@ -198,6 +198,8 @@ > extern int to_stdout; /* output to stdout (-c) */ > extern int save_orig_name; /* set if original name must be saved */ > >+#define MIN(a,b) ((a) <= (b) ? (a) : (b)) >+ > #define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0)) > #define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1)) > >diff -ru gzip-1.3.5.orig/inflate.c gzip-1.3.5/inflate.c >--- gzip-1.3.5.orig/inflate.c 2002-09-25 22:20:13.000000000 +0100 >+++ gzip-1.3.5/inflate.c 2006-07-21 09:10:43.350376000 +0100 >@@ -337,7 +337,7 @@ > { > *t = (struct huft *)NULL; > *m = 0; >- return 0; >+ return 2; > } > > >Only in gzip-1.3.5: testcases >diff -ru gzip-1.3.5.orig/unlzh.c gzip-1.3.5/unlzh.c >--- gzip-1.3.5.orig/unlzh.c 1999-10-06 06:00:00.000000000 +0100 >+++ gzip-1.3.5/unlzh.c 2006-08-18 22:56:19.446997000 +0100 >@@ -149,13 +149,17 @@ > unsigned i, k, len, ch, jutbits, avail, nextcode, mask; > > for (i = 1; i <= 16; i++) count[i] = 0; >- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++; >+ for (i = 0; i < (unsigned)nchar; i++) { >+ if (bitlen[i] > 16) >+ error("Bad table (case a)\n"); >+ else count[bitlen[i]]++; >+ } > > start[1] = 0; > for (i = 1; i <= 16; i++) > start[i + 1] = start[i] + (count[i] << (16 - i)); >- if ((start[17] & 0xffff) != 0) >- error("Bad table\n"); >+ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */ >+ error("Bad table (case b)\n"); > > jutbits = 16 - tablebits; > for (i = 1; i <= (unsigned)tablebits; i++) { >@@ -169,15 +173,15 @@ > > i = start[tablebits + 1] >> jutbits; > if (i != 0) { >- k = 1 << tablebits; >- while (i != k) table[i++] = 0; >+ k = MIN(1 << tablebits, DIST_BUFSIZE); >+ while (i < k) table[i++] = 0; > } > > avail = nchar; > mask = (unsigned) 1 << (15 - tablebits); > for (ch = 0; ch < (unsigned)nchar; ch++) { > if ((len = bitlen[ch]) == 0) continue; >- nextcode = start[len] + weight[len]; >+ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE); > if (len <= (unsigned)tablebits) { > for (i = start[len]; i < nextcode; i++) table[i] = ch; > } else { >@@ -218,7 +222,7 @@ > for (i = 0; i < 256; i++) pt_table[i] = c; > } else { > i = 0; >- while (i < n) { >+ while (i < MIN(n,NPT)) { > c = bitbuf >> (BITBUFSIZ - 3); > if (c == 7) { > mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3); >@@ -228,7 +232,7 @@ > pt_len[i++] = c; > if (i == i_special) { > c = getbits(2); >- while (--c >= 0) pt_len[i++] = 0; >+ while (--c >= 0 && i < NPT) pt_len[i++] = 0; > } > } > while (i < nn) pt_len[i++] = 0; >@@ -248,7 +252,7 @@ > for (i = 0; i < 4096; i++) c_table[i] = c; > } else { > i = 0; >- while (i < n) { >+ while (i < MIN(n,NC)) { > c = pt_table[bitbuf >> (BITBUFSIZ - 8)]; > if (c >= NT) { > mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8); >@@ -256,14 +260,14 @@ > if (bitbuf & mask) c = right[c]; > else c = left [c]; > mask >>= 1; >- } while (c >= NT); >+ } while (c >= NT && (mask || c != left[c])); > } > fillbuf((int) pt_len[c]); > if (c <= 2) { > if (c == 0) c = 1; > else if (c == 1) c = getbits(4) + 3; > else c = getbits(CBIT) + 20; >- while (--c >= 0) c_len[i++] = 0; >+ while (--c >= 0 && i < NC) c_len[i++] = 0; > } else c_len[i++] = c - 2; > } > while (i < NC) c_len[i++] = 0; >@@ -292,7 +296,7 @@ > if (bitbuf & mask) j = right[j]; > else j = left [j]; > mask >>= 1; >- } while (j >= NC); >+ } while (j >= NC && (mask || j != left[j])); > } > fillbuf((int) c_len[j]); > return j; >@@ -309,7 +313,7 @@ > if (bitbuf & mask) j = right[j]; > else j = left [j]; > mask >>= 1; >- } while (j >= NP); >+ } while (j >= NP && (mask || j != left[j])); > } > fillbuf((int) pt_len[j]); > if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1)); >@@ -356,7 +360,7 @@ > while (--j >= 0) { > buffer[r] = buffer[i]; > i = (i + 1) & (DICSIZ - 1); >- if (++r == count) return r; >+ if (++r >= count) return r; > } > for ( ; ; ) { > c = decode_c(); >@@ -366,14 +370,14 @@ > } > if (c <= UCHAR_MAX) { > buffer[r] = c; >- if (++r == count) return r; >+ if (++r >= count) return r; > } else { > j = c - (UCHAR_MAX + 1 - THRESHOLD); > i = (r - decode_p() - 1) & (DICSIZ - 1); > while (--j >= 0) { > buffer[r] = buffer[i]; > i = (i + 1) & (DICSIZ - 1); >- if (++r == count) return r; >+ if (++r >= count) return r; > } > } > } >diff -ru gzip-1.3.5.orig/unpack.c gzip-1.3.5/unpack.c >--- gzip-1.3.5.orig/unpack.c 1999-10-06 06:00:00.000000000 +0100 >+++ gzip-1.3.5/unpack.c 2006-07-21 15:49:48.615190000 +0100 >@@ -13,7 +13,6 @@ > #include "gzip.h" > #include "crypt.h" > >-#define MIN(a,b) ((a) <= (b) ? (a) : (b)) > /* The arguments must not have side effects. */ > > #define MAX_BITLEN 25 >@@ -133,7 +132,7 @@ > /* Remember where the literals of this length start in literal[] : */ > lit_base[len] = base; > /* And read the literals: */ >- for (n = leaves[len]; n > 0; n--) { >+ for (n = leaves[len]; n > 0 && base < LITERALS; n--) { > literal[base++] = (uch)get_byte(); > } > } >@@ -169,7 +168,7 @@ > prefixp = &prefix_len[1<<peek_bits]; > for (len = 1; len <= peek_bits; len++) { > int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */ >- while (prefixes--) *--prefixp = (uch)len; >+ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len; > } > /* The length of all other codes is unknown: */ > while (prefixp > prefix_len) *--prefixp = 0;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 145511
: 95405 |
95406
|
99551
|
99552