Index: src/huf.c =================================================================== RCS file: /cvsroot/lha/lha/src/huf.c,v retrieving revision 1.13 diff -u -u -r1.13 huf.c --- src/huf.c 21 Mar 2003 15:34:52 -0000 1.13 +++ src/huf.c 8 Oct 2006 20:16:42 -0000 @@ -338,7 +338,7 @@ } else { i = 0; - while (i < n) { + while (i < MIN(n, NPT)) { c = peekbits(3); if (c != 7) fillbuf(3); @@ -354,7 +354,7 @@ pt_len[i++] = c; if (i == i_special) { c = getbits(2); - while (--c >= 0) + while (--c >= 0 && i < NPT) pt_len[i++] = 0; } } @@ -379,7 +379,7 @@ c_table[i] = c; } else { i = 0; - while (i < n) { + while (i < MIN(n,NC)) { c = pt_table[peekbits(8)]; if (c >= NT) { unsigned short mask = 1 << (16 - 9); @@ -389,7 +389,7 @@ else c = left[c]; mask >>= 1; - } while (c >= NT); + } while (c >= NT && (mask || c != left[c])); } fillbuf(pt_len[c]); if (c <= 2) { @@ -437,7 +437,7 @@ else j = left[j]; mask >>= 1; - } while (j >= NC); + } while (j >= NC && (mask || j != left[j])); fillbuf(c_len[j] - 12); } return j; @@ -462,7 +462,7 @@ else j = left[j]; mask >>= 1; - } while (j >= np); + } while (j >= np && (mask || j != left[j])); fillbuf(pt_len[j] - 8); } if (j != 0) Index: src/lha_macro.h =================================================================== RCS file: /cvsroot/lha/lha/src/lha_macro.h,v retrieving revision 1.50 diff -u -u -r1.50 lha_macro.h --- src/lha_macro.h 8 Oct 2006 14:20:14 -0000 1.50 +++ src/lha_macro.h 8 Oct 2006 20:16:42 -0000 @@ -194,6 +194,8 @@ /* Individual macro define */ /* ------------------------------------------------------------------------ */ +#define MIN(a,b) ((a) <= (b) ? (a) : (b)) + /* bitio.c */ #define peekbits(n) (bitbuf >> (sizeof(bitbuf)*8 - (n))) Index: src/maketbl.c =================================================================== RCS file: /cvsroot/lha/lha/src/maketbl.c,v retrieving revision 1.6 diff -u -u -r1.6 maketbl.c --- src/maketbl.c 16 Nov 2002 19:03:23 -0000 1.6 +++ src/maketbl.c 8 Oct 2006 20:16:42 -0000 @@ -32,8 +32,14 @@ } /* count */ - for (i = 0; i < nchar; i++) - count[bitlen[i]]++; + for (i = 0; i < nchar; i++) { + if (bitlen[i] > 16) { + error("Bad table (case a)"); + exit(1); + } + else + count[bitlen[i]]++; + } /* calculate first code */ total = 0; @@ -41,8 +47,10 @@ start[i] = total; total += weight[i] * count[i]; } - if ((total & 0xffff) != 0) + if ((total & 0xffff) != 0 || tablebits > 16) { /* 16 for weight below */ error("make_table(): Bad table (5)"); + exit(1); + } /* shift data for make table. */ m = 16 - tablebits; @@ -53,7 +61,7 @@ /* initialize */ j = start[tablebits + 1] >> m; - k = 1 << tablebits; + k = MIN(1 << tablebits, 4096); if (j != 0) for (i = j; i < k; i++) table[i] = 0; @@ -66,12 +74,18 @@ l = start[k] + weight[k]; if (k <= tablebits) { /* code in table */ + l = MIN(l, 4096); for (i = start[k]; i < l; i++) table[i] = j; } else { /* code not in table */ - p = &table[(i = start[k]) >> m]; + i = start[k]; + if ((i >> m) > 4096) { + error("Bad table"); + exit(1); + } + p = &table[i >> m]; i <<= tablebits; n = k - tablebits; /* make tree (n length) */