|
|
3d479f |
From 51370f365607fe14a6a7a1a27b3bd29d788f5e5b Mon Sep 17 00:00:00 2001
|
|
|
3d479f |
From: Mark Adler <madler@alumni.caltech.edu>
|
|
|
3d479f |
Date: Mon, 18 Feb 2013 21:06:35 -0800
|
|
|
3d479f |
Subject: [PATCH] Fix serious but very rare decompression bug in inftrees.c.
|
|
|
3d479f |
|
|
|
3d479f |
inftrees.c compared the number of used table entries to the maximum
|
|
|
3d479f |
allowed value using >= instead of >. This patch fixes those to use
|
|
|
3d479f |
>. The bug was discovered by Ignat Kolesnichenko of Yandex LC
|
|
|
3d479f |
where they have run petabytes of data through zlib. Triggering the
|
|
|
3d479f |
bug is apparently very rare, seeing as how it has been out there in
|
|
|
3d479f |
the wild for almost three years before being discovered. The bug
|
|
|
3d479f |
is instantiated only if the exact maximum number of decoding table
|
|
|
3d479f |
entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being
|
|
|
3d479f |
decoded, resulting in the false positive of overflowing the table.
|
|
|
3d479f |
---
|
|
|
3d479f |
inftrees.c | 8 ++++----
|
|
|
3d479f |
1 file changed, 4 insertions(+), 4 deletions(-)
|
|
|
3d479f |
|
|
|
3d479f |
diff --git a/inftrees.c b/inftrees.c
|
|
|
3d479f |
index 873da59..3781399 100644
|
|
|
3d479f |
--- a/inftrees.c
|
|
|
3d479f |
+++ b/inftrees.c
|
|
|
3d479f |
@@ -208,8 +208,8 @@ unsigned short FAR *work;
|
|
|
3d479f |
mask = used - 1; /* mask for comparing low */
|
|
|
3d479f |
|
|
|
3d479f |
/* check available table space */
|
|
|
3d479f |
- if ((type == LENS && used >= ENOUGH_LENS) ||
|
|
|
3d479f |
- (type == DISTS && used >= ENOUGH_DISTS))
|
|
|
3d479f |
+ if ((type == LENS && used > ENOUGH_LENS) ||
|
|
|
3d479f |
+ (type == DISTS && used > ENOUGH_DISTS))
|
|
|
3d479f |
return 1;
|
|
|
3d479f |
|
|
|
3d479f |
/* process all codes and make table entries */
|
|
|
3d479f |
@@ -277,8 +277,8 @@ unsigned short FAR *work;
|
|
|
3d479f |
|
|
|
3d479f |
/* check for enough space */
|
|
|
3d479f |
used += 1U << curr;
|
|
|
3d479f |
- if ((type == LENS && used >= ENOUGH_LENS) ||
|
|
|
3d479f |
- (type == DISTS && used >= ENOUGH_DISTS))
|
|
|
3d479f |
+ if ((type == LENS && used > ENOUGH_LENS) ||
|
|
|
3d479f |
+ (type == DISTS && used > ENOUGH_DISTS))
|
|
|
3d479f |
return 1;
|
|
|
3d479f |
|
|
|
3d479f |
/* point entry in root table to sub-table */
|
|
|
3d479f |
--
|
|
|
3d479f |
1.9.3
|
|
|
3d479f |
|