adenilson / rpms / zlib

Forked from rpms/zlib 8 months ago
Clone
3d479f
From 51370f365607fe14a6a7a1a27b3bd29d788f5e5b Mon Sep 17 00:00:00 2001
3d479f
From: Mark Adler <madler@alumni.caltech.edu>
3d479f
Date: Mon, 18 Feb 2013 21:06:35 -0800
3d479f
Subject: [PATCH] Fix serious but very rare decompression bug in inftrees.c.
3d479f
3d479f
inftrees.c compared the number of used table entries to the maximum
3d479f
allowed value using >= instead of >.  This patch fixes those to use
3d479f
>.  The bug was discovered by Ignat Kolesnichenko of Yandex LC
3d479f
where they have run petabytes of data through zlib.  Triggering the
3d479f
bug is apparently very rare, seeing as how it has been out there in
3d479f
the wild for almost three years before being discovered.  The bug
3d479f
is instantiated only if the exact maximum number of decoding table
3d479f
entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being
3d479f
decoded, resulting in the false positive of overflowing the table.
3d479f
---
3d479f
 inftrees.c | 8 ++++----
3d479f
 1 file changed, 4 insertions(+), 4 deletions(-)
3d479f
3d479f
diff --git a/inftrees.c b/inftrees.c
3d479f
index 873da59..3781399 100644
3d479f
--- a/inftrees.c
3d479f
+++ b/inftrees.c
3d479f
@@ -208,8 +208,8 @@ unsigned short FAR *work;
3d479f
     mask = used - 1;            /* mask for comparing low */
3d479f
 
3d479f
     /* check available table space */
3d479f
-    if ((type == LENS && used >= ENOUGH_LENS) ||
3d479f
-        (type == DISTS && used >= ENOUGH_DISTS))
3d479f
+    if ((type == LENS && used > ENOUGH_LENS) ||
3d479f
+        (type == DISTS && used > ENOUGH_DISTS))
3d479f
         return 1;
3d479f
 
3d479f
     /* process all codes and make table entries */
3d479f
@@ -277,8 +277,8 @@ unsigned short FAR *work;
3d479f
 
3d479f
             /* check for enough space */
3d479f
             used += 1U << curr;
3d479f
-            if ((type == LENS && used >= ENOUGH_LENS) ||
3d479f
-                (type == DISTS && used >= ENOUGH_DISTS))
3d479f
+            if ((type == LENS && used > ENOUGH_LENS) ||
3d479f
+                (type == DISTS && used > ENOUGH_DISTS))
3d479f
                 return 1;
3d479f
 
3d479f
             /* point entry in root table to sub-table */
3d479f
-- 
3d479f
1.9.3
3d479f