Avoid creating an undersized buffer for the hufts table.

A specific malformed input file (cf. attachment) either leads to gzip
crashing with segmentation violation or hanging in an endless loop.

Attached patch fixes the problem.

diff --git a/debian/changelog b/debian/changelog
index 1a4543c00f20a795d44ed456dd68f191a20c8fd2..4168e4c13533cf397c1470438686009bc99c9cd6 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,8 +2,9 @@ gzip (1.3.12-8) UNRELEASED; urgency=low
 
   * Add Carl Worth as an uploader.
   * Fix "-f -" to work with zgrep, closes: #168606 
+  * Avoid creating undersized hufts table, closes #507263 
 
- -- Carl Worth <cworth@cworth.org>  Fri, 27 Feb 2009 12:54:09 -0800
+ -- Carl Worth <cworth@cworth.org>  Fri, 27 Feb 2009 12:54:37 -0800
 
 gzip (1.3.12-7) unstable; urgency=low
 

diff --git a/inflate.c b/inflate.c
index 9f3a6616e18e1ca70eaa0c1b88bde43a0209211c..2f4954be020fd9a9eaf0da4015ca8ee465e6dcc5 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;