From: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Date: Sat, 29 Nov 2008 15:06:59 +0000 (+0100)
Subject: Avoid creating an undersized buffer for the hufts table.
X-Git-Url: https://git.cworth.org/git?a=commitdiff_plain;h=HEAD;p=gzip

Avoid creating an undersized buffer for the hufts table.

A specific malformed input file (cf. attachment) either leads to gzip
crashing with segmentation violation or hanging in an endless loop.

Attached patch fixes the problem.
---

diff --git a/debian/changelog b/debian/changelog
index 1a4543c..4168e4c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,9 @@ gzip (1.3.12-8) UNRELEASED; urgency=low
 
   * Add Carl Worth as an uploader.
   * Fix "-f -" to work with zgrep, closes: #168606 
+  * Avoid creating undersized hufts table, closes #507263 
 
- -- Carl Worth <cworth@cworth.org>  Fri, 27 Feb 2009 12:54:09 -0800
+ -- Carl Worth <cworth@cworth.org>  Fri, 27 Feb 2009 12:54:37 -0800
 
 gzip (1.3.12-7) unstable; urgency=low
 
diff --git a/inflate.c b/inflate.c
index 9f3a661..2f4954b 100644
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;