openpkg
/
openpkg-packages
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
39828 Commits
1 Branch
2 Tags
597 MiB
 
 
 
 
 
 
Tree: adaab8e14f
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'adaab8e14f'
${ noResults }
openpkg-packages/gzip/gzip.patch

194 lines
5.6 KiB
Raw Blame History

Security Fix
Index: gzip.c
--- gzip.c.orig 2009-09-26 20:56:02 +0200
+++ gzip.c 2009-10-07 07:59:53 +0200
@@ -168,7 +168,7 @@
DECLARE(uch, inbuf, INBUFSIZ +INBUF_EXTRA);
DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);
DECLARE(ush, d_buf, DIST_BUFSIZE);
-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */
#ifndef MAXSEG_64K
DECLARE(ush, tab_prefix, 1L<<BITS);
#else
-----------------------------------------------------------------------------
Security Fixes
- OOB write (CVE-2006-4335)
- Buffer underflow (CVE-2006-4336)
- Buffer overflow (CVE-2006-4337)
- Infinite loop (CVE-2006-4338)
Index: gzip.h
--- gzip.h.orig 2009-09-26 20:43:28 +0200
+++ gzip.h 2009-10-07 07:59:53 +0200
@@ -223,6 +223,8 @@
extern int to_stdout; /* output to stdout (-c) */
extern int save_orig_name; /* set if original name must be saved */
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
#define get_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
#define try_byte() (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
Index: unlzh.c
--- unlzh.c.orig 2009-09-26 20:20:40 +0200
+++ unlzh.c 2009-10-07 07:59:53 +0200
@@ -141,12 +141,17 @@
unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
for (i = 1; i <= 16; i++) count[i] = 0;
- for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+ for (i = 0; i < (unsigned)nchar; i++) {
+ if (bitlen[i] > 16)
+ error("Bad table\n");
+ else
+ count[bitlen[i]]++;
+ }
start[1] = 0;
for (i = 1; i <= 16; i++)
start[i + 1] = start[i] + (count[i] << (16 - i));
- if ((start[17] & 0xffff) != 0)
+ if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
gzip_error ("Bad table\n");
jutbits = 16 - tablebits;
@@ -161,15 +166,15 @@
i = start[tablebits + 1] >> jutbits;
if (i != 0) {
- k = 1 << tablebits;
- while (i != k) table[i++] = 0;
+ k = MIN(1 << tablebits, DIST_BUFSIZE);
+ while (i < k) table[i++] = 0;
}
avail = nchar;
mask = (unsigned) 1 << (15 - tablebits);
for (ch = 0; ch < (unsigned)nchar; ch++) {
if ((len = bitlen[ch]) == 0) continue;
- nextcode = start[len] + weight[len];
+ nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
if (len <= (unsigned)tablebits) {
if ((unsigned) 1 << tablebits < nextcode)
gzip_error ("Bad table\n");
@@ -212,7 +217,7 @@
for (i = 0; i < 256; i++) pt_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NPT)) {
c = bitbuf >> (BITBUFSIZ - 3);
if (c == 7) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -224,7 +229,7 @@
pt_len[i++] = c;
if (i == i_special) {
c = getbits(2);
- while (--c >= 0) pt_len[i++] = 0;
+ while (--c >= 0 && i < NPT) pt_len[i++] = 0;
}
}
while (i < nn) pt_len[i++] = 0;
@@ -244,7 +249,7 @@
for (i = 0; i < 4096; i++) c_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NC)) {
c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
if (c >= NT) {
mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -252,14 +257,14 @@
if (bitbuf & mask) c = right[c];
else c = left [c];
mask >>= 1;
- } while (c >= NT);
+ } while (c >= NT && (mask || c != left[c]));
}
fillbuf((int) pt_len[c]);
if (c <= 2) {
if (c == 0) c = 1;
else if (c == 1) c = getbits(4) + 3;
else c = getbits(CBIT) + 20;
- while (--c >= 0) c_len[i++] = 0;
+ while (--c >= 0 && i < NC) c_len[i++] = 0;
} else c_len[i++] = c - 2;
}
while (i < NC) c_len[i++] = 0;
@@ -288,7 +293,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NC);
+ } while (j >= NC && (mask || j != left[j]));
}
fillbuf((int) c_len[j]);
return j;
@@ -305,7 +310,7 @@
if (bitbuf & mask) j = right[j];
else j = left [j];
mask >>= 1;
- } while (j >= NP);
+ } while (j >= NP && (mask || j != left[j]));
}
fillbuf((int) pt_len[j]);
if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
@@ -352,7 +357,7 @@
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
for ( ; ; ) {
c = decode_c();
@@ -362,14 +367,14 @@
}
if (c <= UCHAR_MAX) {
buffer[r] = c;
- if (++r == count) return r;
+ if (++r >= count) return r;
} else {
j = c - (UCHAR_MAX + 1 - THRESHOLD);
i = (r - decode_p() - 1) & (DICSIZ - 1);
while (--j >= 0) {
buffer[r] = buffer[i];
i = (i + 1) & (DICSIZ - 1);
- if (++r == count) return r;
+ if (++r >= count) return r;
}
}
}
Index: unpack.c
--- unpack.c.orig 2009-09-26 20:43:28 +0200
+++ unpack.c 2009-10-07 07:59:53 +0200
@@ -22,7 +22,6 @@
#include "gzip.h"
#include "crypt.h"
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
/* The arguments must not have side effects. */
#define MAX_BITLEN 25
@@ -146,7 +145,7 @@
/* Remember where the literals of this length start in literal[] : */
lit_base[len] = base;
/* And read the literals: */
- for (n = leaves[len]; n > 0; n--) {
+ for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
literal[base++] = (uch)get_byte();
}
}
@@ -182,7 +181,7 @@
prefixp = &prefix_len[1<<peek_bits];
for (len = 1; len <= peek_bits; len++) {
int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
- while (prefixes--) *--prefixp = (uch)len;
+ while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
}
/* The length of all other codes is unknown: */
while (prefixp > prefix_len) *--prefixp = 0;