From: Thiemo Nagel Date: Sat, 29 Nov 2008 15:06:59 +0000 (+0100) Subject: Avoid creating an undersized buffer for the hufts table. X-Git-Url: https://git.cworth.org/git?p=gzip;a=commitdiff_plain;h=91ce7f143f4e5b51f809b4d4dbb1eba030843726 Avoid creating an undersized buffer for the hufts table. A specific malformed input file (cf. attachment) either leads to gzip crashing with segmentation violation or hanging in an endless loop. Attached patch fixes the problem. --- diff --git a/debian/changelog b/debian/changelog index 1a4543c..4168e4c 100644 --- a/debian/changelog +++ b/debian/changelog @@ -2,8 +2,9 @@ gzip (1.3.12-8) UNRELEASED; urgency=low * Add Carl Worth as an uploader. * Fix "-f -" to work with zgrep, closes: #168606 + * Avoid creating undersized hufts table, closes #507263 - -- Carl Worth Fri, 27 Feb 2009 12:54:09 -0800 + -- Carl Worth Fri, 27 Feb 2009 12:54:37 -0800 gzip (1.3.12-7) unstable; urgency=low diff --git a/inflate.c b/inflate.c index 9f3a661..2f4954b 100644 --- a/inflate.c +++ b/inflate.c @@ -335,13 +335,15 @@ int *m; /* maximum lookup bits, returns actual */ } while (--i); if (c[0] == n) /* null input--all zero length codes */ { - q = (struct huft *) malloc (2 * sizeof *q); + q = (struct huft *) malloc (3 * sizeof *q); if (!q) return 3; - hufts += 2; + hufts += 3; q[0].v.t = (struct huft *) NULL; q[1].e = 99; /* invalid code marker */ q[1].b = 1; + q[2].e = 99; /* invalid code marker */ + q[2].b = 1; *t = q + 1; *m = 1; return 0;