From: Bdale Garbee <bdale@gag.com>
Date: Tue, 19 Sep 2006 12:35:26 +0000 (-0600)
Subject: Imported Debian patch 1.3.5-15
X-Git-Url: https://git.cworth.org/git?p=gzip;a=commitdiff_plain;h=c9eb602f6f5c10a521e7274640033f6a35deca1d

Imported Debian patch 1.3.5-15
---

diff --git a/debian/changelog b/debian/changelog
index 459e80e..c799043 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+gzip (1.3.5-15) unstable; urgency=high
+
+  * security update, covering the following alerts:
+    CVE-2006-4334 CVE-2006-4335 CVE-2006-4336 CVE-2006-4337 CVE-2006-4338
+
+ -- Bdale Garbee <bdale@gag.com>  Tue, 19 Sep 2006 06:35:26 -0600
+
 gzip (1.3.5-14) unstable; urgency=medium
 
   * update section to match override
diff --git a/inflate.c b/inflate.c
index 429716c..cfb0d57 100644
--- a/inflate.c
+++ b/inflate.c
@@ -337,7 +337,7 @@ int *m;                 /* maximum lookup bits, returns actual */
   {
     *t = (struct huft *)NULL;
     *m = 0;
-    return 0;
+    return 2;
   }
 
 
diff --git a/unlzh.c b/unlzh.c
index b1c6ac6..7a88fee 100644
--- a/unlzh.c
+++ b/unlzh.c
@@ -69,11 +69,7 @@ local void make_table OF((int nchar, uch bitlen[],
 #define NT (CODE_BIT + 3)
 #define PBIT 4  /* smallest integer such that (1U << PBIT) > NP */
 #define TBIT 5  /* smallest integer such that (1U << TBIT) > NT */
-#if NT > NP
-# define NPT NT
-#else
-# define NPT NP
-#endif
+#define NPT (1<<TBIT)
 
 /* local ush left[2 * NC - 1]; */
 /* local ush right[2 * NC - 1]; */
@@ -179,6 +175,8 @@ local void make_table(nchar, bitlen, tablebits, table)
 	if ((len = bitlen[ch]) == 0) continue;
 	nextcode = start[len] + weight[len];
 	if (len <= (unsigned)tablebits) {
+	    if (nextcode > 1 << tablebits)
+		error("Bad table\n");
 	    for (i = start[len]; i < nextcode; i++) table[i] = ch;
 	} else {
 	    k = start[len];
@@ -223,6 +221,8 @@ local void read_pt_len(nn, nbit, i_special)
 	    if (c == 7) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
 		while (mask & bitbuf) {  mask >>= 1;  c++;  }
+		if (c > 16)
+		    error("Bad table\n");
 	    }
 	    fillbuf((c < 7) ? 3 : c - 3);
 	    pt_len[i++] = c;
diff --git a/unpack.c b/unpack.c
index 00dae74..b1f3ef3 100644
--- a/unpack.c
+++ b/unpack.c
@@ -97,6 +97,7 @@ local void read_tree()
     int len;  /* bit length */
     int base; /* base offset for a sequence of leaves */
     int n;
+    int max_leaves;
 
     /* Read the original input size, MSB first */
     orig_len = 0;
@@ -109,11 +110,15 @@ local void read_tree()
 
     /* Get the number of leaves at each bit length */
     n = 0;
+    max_leaves = 1;
     for (len = 1; len <= max_len; len++) {
 	leaves[len] = (int)get_byte();
+	if (leaves[len] > max_leaves - (len == max_len))
+	    error("too many leaves in Huffman tree");
+	max_leaves = (max_leaves - leaves[len] + 1) * 2 - 1;
 	n += leaves[len];
     }
-    if (n > LITERALS) {
+    if (n >= LITERALS) {
 	error("too many leaves in Huffman tree");
     }
     Trace((stderr, "orig_len %lu, max_len %d, leaves %d\n",