doc/website/static/security/patches/SA-06:21/gzip.patch

Index: gnu/usr.bin/gzip/gzip.h
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/gzip/gzip.h,v
retrieving revision 1.4
diff -u -d -r1.4 gzip.h
--- gnu/usr.bin/gzip/gzip.h	2 May 2004 23:07:49 -0000	1.4
+++ gnu/usr.bin/gzip/gzip.h	17 Sep 2006 10:58:37 -0000
@@ -202,6 +202,8 @@
 extern int to_stdout;      /* output to stdout (-c) */
 extern int save_orig_name; /* set if original name must be saved */
 
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
 #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
 #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 
Index: gnu/usr.bin/gzip/inflate.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/gzip/inflate.c,v
retrieving revision 1.9
diff -u -d -r1.9 inflate.c
--- gnu/usr.bin/gzip/inflate.c	13 Aug 2004 05:38:44 -0000	1.9
+++ gnu/usr.bin/gzip/inflate.c	17 Sep 2006 10:58:37 -0000
@@ -316,7 +316,7 @@
   {
     *t = (struct huft *)NULL;
     *m = 0;
-    return 0;
+    return 2;
   }
 
 
Index: gnu/usr.bin/gzip/unlzh.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/gzip/unlzh.c,v
retrieving revision 1.5
diff -u -d -r1.5 unlzh.c
--- gnu/usr.bin/gzip/unlzh.c	27 Aug 1999 23:35:53 -0000	1.5
+++ gnu/usr.bin/gzip/unlzh.c	17 Sep 2006 10:58:37 -0000
@@ -148,13 +148,17 @@
     unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
 
     for (i = 1; i <= 16; i++) count[i] = 0;
-    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+    for (i = 0; i < (unsigned)nchar; i++) {
+        if (bitlen[i] > 16)
+        error("Bad table (case a)\n");
+        else count[bitlen[i]]++;
+    }
 
     start[1] = 0;
     for (i = 1; i <= 16; i++)
 	start[i + 1] = start[i] + (count[i] << (16 - i));
-    if ((start[17] & 0xffff) != 0)
-	error("Bad table\n");
+    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
+	error("Bad table (case b)\n");
 
     jutbits = 16 - tablebits;
     for (i = 1; i <= (unsigned)tablebits; i++) {
@@ -168,15 +172,15 @@
 
     i = start[tablebits + 1] >> jutbits;
     if (i != 0) {
-	k = 1 << tablebits;
-	while (i != k) table[i++] = 0;
+	k = MIN(1 << tablebits, DIST_BUFSIZE);
+	while (i < k) table[i++] = 0;
     }
 
     avail = nchar;
     mask = (unsigned) 1 << (15 - tablebits);
     for (ch = 0; ch < (unsigned)nchar; ch++) {
 	if ((len = bitlen[ch]) == 0) continue;
-	nextcode = start[len] + weight[len];
+	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
 	if (len <= (unsigned)tablebits) {
 	    for (i = start[len]; i < nextcode; i++) table[i] = ch;
 	} else {
@@ -217,7 +221,7 @@
 	for (i = 0; i < 256; i++) pt_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NPT)) {
 	    c = bitbuf >> (BITBUFSIZ - 3);
 	    if (c == 7) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -227,7 +231,7 @@
 	    pt_len[i++] = c;
 	    if (i == i_special) {
 		c = getbits(2);
-		while (--c >= 0) pt_len[i++] = 0;
+		while (--c >= 0 && i < NPT) pt_len[i++] = 0;
 	    }
 	}
 	while (i < nn) pt_len[i++] = 0;
@@ -247,7 +251,7 @@
 	for (i = 0; i < 4096; i++) c_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NC)) {
 	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
 	    if (c >= NT) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -255,14 +259,14 @@
 		    if (bitbuf & mask) c = right[c];
 		    else               c = left [c];
 		    mask >>= 1;
-		} while (c >= NT);
+		} while (c >= NT && (mask || c != left[c]));
 	    }
 	    fillbuf((int) pt_len[c]);
 	    if (c <= 2) {
 		if      (c == 0) c = 1;
 		else if (c == 1) c = getbits(4) + 3;
 		else             c = getbits(CBIT) + 20;
-		while (--c >= 0) c_len[i++] = 0;
+		while (--c >= 0 && i < NC) c_len[i++] = 0;
 	    } else c_len[i++] = c - 2;
 	}
 	while (i < NC) c_len[i++] = 0;
@@ -291,7 +295,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NC);
+	} while (j >= NC && (mask || j != left[j]));
     }
     fillbuf((int) c_len[j]);
     return j;
@@ -308,7 +312,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NP);
+	} while (j >= NP && (mask || j != left[j]));
     }
     fillbuf((int) pt_len[j]);
     if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
@@ -355,7 +359,7 @@
     while (--j >= 0) {
 	buffer[r] = buffer[i];
 	i = (i + 1) & (DICSIZ - 1);
-	if (++r == count) return r;
+	if (++r >= count) return r;
     }
     for ( ; ; ) {
 	c = decode_c();
@@ -365,14 +369,14 @@
 	}
 	if (c <= UCHAR_MAX) {
 	    buffer[r] = c;
-	    if (++r == count) return r;
+	    if (++r >= count) return r;
 	} else {
 	    j = c - (UCHAR_MAX + 1 - THRESHOLD);
 	    i = (r - decode_p() - 1) & (DICSIZ - 1);
 	    while (--j >= 0) {
 		buffer[r] = buffer[i];
 		i = (i + 1) & (DICSIZ - 1);
-		if (++r == count) return r;
+		if (++r >= count) return r;
 	    }
 	}
     }
Index: gnu/usr.bin/gzip/unpack.c
===================================================================
RCS file: /home/ncvs/src/gnu/usr.bin/gzip/unpack.c,v
retrieving revision 1.6
diff -u -d -r1.6 unpack.c
--- gnu/usr.bin/gzip/unpack.c	27 Aug 1999 23:35:54 -0000	1.6
+++ gnu/usr.bin/gzip/unpack.c	17 Sep 2006 10:58:37 -0000
@@ -12,7 +12,6 @@
 #include "gzip.h"
 #include "crypt.h"
 
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 /* The arguments must not have side effects. */
 
 #define MAX_BITLEN 25
@@ -132,7 +131,7 @@
 	/* Remember where the literals of this length start in literal[] : */
 	lit_base[len] = base;
 	/* And read the literals: */
-	for (n = leaves[len]; n > 0; n--) {
+	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
 	    literal[base++] = (uch)get_byte();
 	}
     }
@@ -168,7 +167,7 @@
     prefixp = &prefix_len[1<<peek_bits];
     for (len = 1; len <= peek_bits; len++) {
 	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
-	while (prefixes--) *--prefixp = (uch)len;
+	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
     }
     /* The length of all other codes is unknown: */
     while (prefixp > prefix_len) *--prefixp = 0;