Attachment 99627 Details for Bug 151252 – app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch

[patch] app-arch/lha/files/lha-1.14i_p20050924-CVE-2006-4334-8.patch

lha-1.14i_p20050924-CVE-2006-4334-8.patch (text/plain), 4.02 KB, created by MATSUU Takuto (RETIRED) on 2006-10-13 19:33:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: MATSUU Takuto (RETIRED)

Created: 2006-10-13 19:33:13 UTC

Size: 4.02 KB

patch

obsolete

>Index: src/huf.c
>===================================================================
>RCS file: /cvsroot/lha/lha/src/huf.c,v
>retrieving revision 1.13
>diff -u -u -r1.13 huf.c
>--- src/huf.c	21 Mar 2003 15:34:52 -0000	1.13
>+++ src/huf.c	8 Oct 2006 20:16:42 -0000
>@@ -338,7 +338,7 @@
>     }
>     else {
>         i = 0;
>-        while (i < n) {
>+        while (i < MIN(n, NPT)) {
>             c = peekbits(3);
>             if (c != 7)
>                 fillbuf(3);
>@@ -354,7 +354,7 @@
>             pt_len[i++] = c;
>             if (i == i_special) {
>                 c = getbits(2);
>-                while (--c >= 0)
>+                while (--c >= 0 && i < NPT)
>                     pt_len[i++] = 0;
>             }
>         }
>@@ -379,7 +379,7 @@
>             c_table[i] = c;
>     } else {
>         i = 0;
>-        while (i < n) {
>+        while (i < MIN(n,NC)) {
>             c = pt_table[peekbits(8)];
>             if (c >= NT) {
>                 unsigned short  mask = 1 << (16 - 9);
>@@ -389,7 +389,7 @@
>                     else
>                         c = left[c];
>                     mask >>= 1;
>-                } while (c >= NT);
>+                } while (c >= NT && (mask || c != left[c]));
>             }
>             fillbuf(pt_len[c]);
>             if (c <= 2) {
>@@ -437,7 +437,7 @@
>             else
>                 j = left[j];
>             mask >>= 1;
>-        } while (j >= NC);
>+        } while (j >= NC && (mask || j != left[j]));
>         fillbuf(c_len[j] - 12);
>     }
>     return j;
>@@ -462,7 +462,7 @@
>             else
>                 j = left[j];
>             mask >>= 1;
>-        } while (j >= np);
>+        } while (j >= np && (mask || j != left[j]));
>         fillbuf(pt_len[j] - 8);
>     }
>     if (j != 0)
>Index: src/lha_macro.h
>===================================================================
>RCS file: /cvsroot/lha/lha/src/lha_macro.h,v
>retrieving revision 1.50
>diff -u -u -r1.50 lha_macro.h
>--- src/lha_macro.h	8 Oct 2006 14:20:14 -0000	1.50
>+++ src/lha_macro.h	8 Oct 2006 20:16:42 -0000
>@@ -194,6 +194,8 @@
> /* Individual macro define                                                  */
> /* ------------------------------------------------------------------------ */
> 
>+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
>+
> /* bitio.c */
> #define peekbits(n)     (bitbuf >> (sizeof(bitbuf)*8 - (n)))
> 
>Index: src/maketbl.c
>===================================================================
>RCS file: /cvsroot/lha/lha/src/maketbl.c,v
>retrieving revision 1.6
>diff -u -u -r1.6 maketbl.c
>--- src/maketbl.c	16 Nov 2002 19:03:23 -0000	1.6
>+++ src/maketbl.c	8 Oct 2006 20:16:42 -0000
>@@ -32,8 +32,14 @@
>     }
> 
>     /* count */
>-    for (i = 0; i < nchar; i++)
>-        count[bitlen[i]]++;
>+    for (i = 0; i < nchar; i++) {
>+        if (bitlen[i] > 16) {
>+            error("Bad table (case a)");
>+            exit(1);
>+        }
>+        else
>+            count[bitlen[i]]++;
>+    }
> 
>     /* calculate first code */
>     total = 0;
>@@ -41,8 +47,10 @@
>         start[i] = total;
>         total += weight[i] * count[i];
>     }
>-    if ((total & 0xffff) != 0)
>+    if ((total & 0xffff) != 0 || tablebits > 16) { /* 16 for weight below */
>         error("make_table(): Bad table (5)");
>+        exit(1);
>+    }
> 
>     /* shift data for make table. */
>     m = 16 - tablebits;
>@@ -53,7 +61,7 @@
> 
>     /* initialize */
>     j = start[tablebits + 1] >> m;
>-    k = 1 << tablebits;
>+    k = MIN(1 << tablebits, 4096);
>     if (j != 0)
>         for (i = j; i < k; i++)
>             table[i] = 0;
>@@ -66,12 +74,18 @@
>         l = start[k] + weight[k];
>         if (k <= tablebits) {
>             /* code in table */
>+            l = MIN(l, 4096);
>             for (i = start[k]; i < l; i++)
>                 table[i] = j;
>         }
>         else {
>             /* code not in table */
>-            p = &table[(i = start[k]) >> m];
>+            i = start[k];
>+            if ((i >> m) > 4096) {
>+                error("Bad table");
>+                exit(1);
>+            }
>+            p = &table[i >> m];
>             i <<= tablebits;
>             n = k - tablebits;
>             /* make tree (n length) */

Actions: View | Diff

Attachments on bug 151252: 99626 | 99627 | 99817