adenilson / rpms / zlib

Forked from rpms/zlib 8 months ago
Clone
c598f4
From 51370f365607fe14a6a7a1a27b3bd29d788f5e5b Mon Sep 17 00:00:00 2001
c598f4
From: Mark Adler <madler@alumni.caltech.edu>
c598f4
Date: Mon, 18 Feb 2013 21:06:35 -0800
c598f4
Subject: [PATCH] Fix serious but very rare decompression bug in inftrees.c.
c598f4
c598f4
inftrees.c compared the number of used table entries to the maximum
c598f4
allowed value using >= instead of >.  This patch fixes those to use
c598f4
>.  The bug was discovered by Ignat Kolesnichenko of Yandex LC
c598f4
where they have run petabytes of data through zlib.  Triggering the
c598f4
bug is apparently very rare, seeing as how it has been out there in
c598f4
the wild for almost three years before being discovered.  The bug
c598f4
is instantiated only if the exact maximum number of decoding table
c598f4
entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being
c598f4
decoded, resulting in the false positive of overflowing the table.
c598f4
---
c598f4
 inftrees.c | 8 ++++----
c598f4
 1 file changed, 4 insertions(+), 4 deletions(-)
c598f4
c598f4
diff --git a/inftrees.c b/inftrees.c
c598f4
index 873da59..3781399 100644
c598f4
--- a/inftrees.c
c598f4
+++ b/inftrees.c
c598f4
@@ -208,8 +208,8 @@ unsigned short FAR *work;
c598f4
     mask = used - 1;            /* mask for comparing low */
c598f4
 
c598f4
     /* check available table space */
c598f4
-    if ((type == LENS && used >= ENOUGH_LENS) ||
c598f4
-        (type == DISTS && used >= ENOUGH_DISTS))
c598f4
+    if ((type == LENS && used > ENOUGH_LENS) ||
c598f4
+        (type == DISTS && used > ENOUGH_DISTS))
c598f4
         return 1;
c598f4
 
c598f4
     /* process all codes and make table entries */
c598f4
@@ -277,8 +277,8 @@ unsigned short FAR *work;
c598f4
 
c598f4
             /* check for enough space */
c598f4
             used += 1U << curr;
c598f4
-            if ((type == LENS && used >= ENOUGH_LENS) ||
c598f4
-                (type == DISTS && used >= ENOUGH_DISTS))
c598f4
+            if ((type == LENS && used > ENOUGH_LENS) ||
c598f4
+                (type == DISTS && used > ENOUGH_DISTS))
c598f4
                 return 1;
c598f4
 
c598f4
             /* point entry in root table to sub-table */
c598f4
-- 
c598f4
1.9.3
c598f4