Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 94584 - app-arch/gzip: crash on bad input
Summary: app-arch/gzip: crash on bad input
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: High trivial (vote)
Assignee: Gentoo's Team for Core System packages
Depends on:
Reported: 2005-05-31 00:01 UTC by Tavis Ormandy (RETIRED)
Modified: 2005-09-01 09:20 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---

Gzip file which cannot be decompressed after applying the patch (one.gz,31 bytes, application/x-tar)
2005-09-01 09:20 UTC, ssjoholm

Note You need to log in before you can comment on or make changes to this bug.
Description Tavis Ormandy (RETIRED) gentoo-dev 2005-05-31 00:01:57 UTC
A QA test uncovered an input data stream that crashes gzip -d, there's a testcase in the URL field. Upstream informed, but no response yet.

Perhaps huft_build() should be returning non-zero around line 340 of inflate.c? At the moment it causes a NULL deref:

    336   if (c[0] == n)                /* null input--all zero length codes */
    337   {
    338     *t = (struct huft *)NULL;
    339     *m = 0;
    340     return 0;
    341   }
Comment 1 SpanKY gentoo-dev 2005-07-02 06:44:09 UTC
the comment just about huft_build() says:
/* Given a list of code lengths and a maximum table size, make a set of
   tables to decode that set of codes.  Return zero on success, one if
   the given code set is incomplete (the tables are still built in this
   case), two if the input is invalid (all zero length codes or an
   oversubscribed set of lengths), and three if not enough memory. */

the case you're looking at is for 'all zero length codes' which means it should
return 2 instead of 0 ... that does fix the crash so i've added gzip-1.3.5-r8
with the fix
Comment 2 SpanKY gentoo-dev 2005-07-02 07:44:16 UTC
forgot to close ...
Comment 3 ssjoholm 2005-09-01 09:20:58 UTC
Created attachment 67422 [details]
Gzip file which cannot be decompressed after applying the patch

The patch causes gzip -d to return "gzip: stdin: invalid compressed
data--format violated" when decompressing dynamic huffman encoded files which
don't have any matches, such as the one I am attaching.  When there are no
matches, then the distance huffman tree will have all zero length entries and
huft_build() will return 2, even though this is valid according to the gzip
spec, RFC1951.	Without the patch the file decompresses correctly.  I am
working on finding a fix for both problems now.