Attachment #41311 for bug #95512

View | Details | Raw Unified | Return to bug 95512
Collapse All | Expand All




        next = fixed;
        lenfix = next;
        bits = 9;
        inflate_table_safe(LENS, state->lens, 288, &(next), 512, &(bits), state->work);

        /* distance table */
        sym = 0;
        while (sym < 32) state->lens[sym++] = 5;
        distfix = next;
        bits = 5;
        inflate_table_safe(DISTS, state->lens, 32, &(next), 32, &(bits), state->work);

        /* do this just once */
        virgin = 0;

            state->next = state->codes;
            state->lencode = (code const FAR *)(state->next);
            state->lenbits = 7;
            ret = inflate_table_safe(CODES, state->lens, 19, 
                                &(state->next), ENOUGH,
                                &(state->lenbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid code lengths set";

            state->next = state->codes;
            state->lencode = (code const FAR *)(state->next);
            state->lenbits = 9;
            ret = inflate_table_safe(LENS, state->lens, state->nlen,
                                &(state->next), ENOUGH,
                                &(state->lenbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid literal/lengths set";

            }
            state->distcode = (code const FAR *)(state->next);
            state->distbits = 6;
            ret = inflate_table_safe(DISTS, state->lens + state->nlen, state->ndist,
                            &(state->next), ENOUGH - (unsigned) (state->next - state->codes),
                            &(state->distbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid distances set";
                state->mode = BAD;




        next = fixed;
        lenfix = next;
        bits = 9;
        inflate_table_safe(LENS, state->lens, 288, &(next), 512, &(bits), state->work);

        /* distance table */
        sym = 0;
        while (sym < 32) state->lens[sym++] = 5;
        distfix = next;
        bits = 5;
        inflate_table_safe(DISTS, state->lens, 32, &(next), 32, &(bits), state->work);

        /* do this just once */
        virgin = 0;

            state->next = state->codes;
            state->lencode = (code const FAR *)(state->next);
            state->lenbits = 7;
            ret = inflate_table_safe(CODES, state->lens, 19, 
                                &(state->next), ENOUGH,
                                &(state->lenbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid code lengths set";

            state->next = state->codes;
            state->lencode = (code const FAR *)(state->next);
            state->lenbits = 9;
            ret = inflate_table_safe(LENS, state->lens, state->nlen,
                                &(state->next), ENOUGH,
                                &(state->lenbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid literal/lengths set";

            }
            state->distcode = (code const FAR *)(state->next);
            state->distbits = 6;
            ret = inflate_table_safe(DISTS, state->lens + state->nlen, state->ndist,
                            &(state->next), ENOUGH - (unsigned) (state->next - state->codes),
                            &(state->distbits), state->work);
            if (ret) {
                strm->msg = (char *)"invalid distances set";
                state->mode = BAD;

Lines 29-39 Link Here

(-)zlib-1.2.2.3-orig/inftrees.c (-4 / +38 lines)
29	table index bits. It will differ if the request is greater than the	29	table index bits. It will differ if the request is greater than the
30	longest code or if it is less than the shortest code.	30	longest code or if it is less than the shortest code.
31	*/	31	*/
32	int inflate_table(type, lens, codes, table, bits, work)	32	int inflate_table_safe(type, lens, codes, table, avail, bits, work)
33	codetype type;	33	codetype type;
34	unsigned short FAR *lens;	34	const unsigned short FAR *lens;
35	unsigned codes;	35	unsigned codes;
36	code FAR * FAR *table;	36	code FAR * FAR *table;
		37	unsigned avail;
37	unsigned FAR *bits;	38	unsigned FAR *bits;
38	unsigned short FAR *work;	39	unsigned short FAR *work;
39	{	40	{
Lines 103-108 Link Here
103	decoding tables.	104	decoding tables.
104	*/	105	*/
105		106
		107	restart:
		108
106	/* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */	109	/* accumulate lengths for codes (assumes lens[] all in 0..MAXBITS) */
107	for (len = 0; len <= MAXBITS; len++)	110	for (len = 0; len <= MAXBITS; len++)
108	count[len] = 0;	111	count[len] = 0;
Lines 209-215 Link Here
209	mask = used - 1; /* mask for comparing low */	212	mask = used - 1; /* mask for comparing low */
210		213
211	/* check available table space */	214	/* check available table space */
212	if (type == LENS && used >= ENOUGH - MAXD)	215	if (used > avail)
213	return 1;	216	return 1;
214		217
215	/* process all codes and make table entries */	218	/* process all codes and make table entries */
Lines 276-283 Link Here
276		279
277	/* check for enough space */	280	/* check for enough space */
278	used += 1U << curr;	281	used += 1U << curr;
279	if (type == LENS && used >= ENOUGH - MAXD)	282	if (used > avail) {
		283	/* we usually can handle pathological sub-table overflows by
		284	restarting with a bigger root-table */
		285	if (root < max) {
		286	*bits = root + 1;
		287	goto restart;
		288	}
280	return 1;	289	return 1;
		290	}
281		291
282	/* point entry in root table to sub-table */	292	/* point entry in root table to sub-table */
283	low = huff & mask;	293	low = huff & mask;
Lines 326-328 Link Here
326	*bits = root;	336	*bits = root;
327	return 0;	337	return 0;
328	}	338	}
		339
		340
		341	#if 0
		342	/* XXX do we really want to keep this ??? */
		343	/* this is not used any longer, but might be called by external functions */
		344
		345	extern int inflate_table OF((codetype type, const unsigned short FAR *lens,
		346	unsigned codes, code FAR * FAR *table,
		347	unsigned FAR bits, unsigned short FAR work));
		348
		349	int inflate_table(type, lens, codes, table, bits, work)
		350	codetype type;
		351	const unsigned short FAR *lens;
		352	unsigned codes;
		353	code FAR * FAR *table;
		354	unsigned FAR *bits;
		355	unsigned short FAR *work;
		356	{
		357	unsigned avail = ~(0u);
		358	if (type == LENS) avail = ENOUGH - 156;
		359	return inflate_table_safe(type, lens, codes, table, avail, bits, work);
		360	}
		361	#endif
		362

Lines 41-47 Link Here

(-)zlib-1.2.2.3-orig/inftrees.h (-2 / +8 lines)
41	exhaustive search). The true maximum is not known, but the value	41	exhaustive search). The true maximum is not known, but the value
42	below is more than safe. */	42	below is more than safe. */
43	#define ENOUGH 1440	43	#define ENOUGH 1440
		44	#if 0
44	#define MAXD 154	45	#define MAXD 154
		46	#else
		47	/* MAXD no longer needed; FIXME: update comments */
		48	#endif
45		49
46	/* Type of code to build for inftable() */	50	/* Type of code to build for inftable() */
47	typedef enum {	51	typedef enum {
Lines 50-55 Link Here
50	DISTS	54	DISTS
51	} codetype;	55	} codetype;
52		56
53	extern int inflate_table OF((codetype type, unsigned short FAR *lens,	57	extern int inflate_table_safe OF((codetype type,
54	unsigned codes, code FAR * FAR *table,	58	const unsigned short FAR *lens, unsigned codes,
		59	code FAR * FAR *table, unsigned avail,
55	unsigned FAR bits, unsigned short FAR work));	60	unsigned FAR bits, unsigned short FAR work));
		61

Return to bug 95512

Lines 92-105 Link Here

(-)zlib-1.2.2.3-orig/infback.c (-6 / +9 lines)
92	next = fixed;	92	next = fixed;
93	lenfix = next;	93	lenfix = next;
94	bits = 9;	94	bits = 9;
95	inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);	95	inflate_table_safe(LENS, state->lens, 288, &(next), 512, &(bits), state->work);
96		96
97	/* distance table */	97	/* distance table */
98	sym = 0;	98	sym = 0;
99	while (sym < 32) state->lens[sym++] = 5;	99	while (sym < 32) state->lens[sym++] = 5;
100	distfix = next;	100	distfix = next;
101	bits = 5;	101	bits = 5;
102	inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);	102	inflate_table_safe(DISTS, state->lens, 32, &(next), 32, &(bits), state->work);
103		103
104	/* do this just once */	104	/* do this just once */
105	virgin = 0;	105	virgin = 0;
Lines 376-382 Link Here
376	state->next = state->codes;	376	state->next = state->codes;
377	state->lencode = (code const FAR *)(state->next);	377	state->lencode = (code const FAR *)(state->next);
378	state->lenbits = 7;	378	state->lenbits = 7;
379	ret = inflate_table(CODES, state->lens, 19, &(state->next),	379	ret = inflate_table_safe(CODES, state->lens, 19,
		380	&(state->next), ENOUGH,
380	&(state->lenbits), state->work);	381	&(state->lenbits), state->work);
381	if (ret) {	382	if (ret) {
382	strm->msg = (char *)"invalid code lengths set";	383	strm->msg = (char *)"invalid code lengths set";
Lines 442-448 Link Here
442	state->next = state->codes;	443	state->next = state->codes;
443	state->lencode = (code const FAR *)(state->next);	444	state->lencode = (code const FAR *)(state->next);
444	state->lenbits = 9;	445	state->lenbits = 9;
445	ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),	446	ret = inflate_table_safe(LENS, state->lens, state->nlen,
		447	&(state->next), ENOUGH,
446	&(state->lenbits), state->work);	448	&(state->lenbits), state->work);
447	if (ret) {	449	if (ret) {
448	strm->msg = (char *)"invalid literal/lengths set";	450	strm->msg = (char *)"invalid literal/lengths set";
Lines 451-458 Link Here
451	}	453	}
452	state->distcode = (code const FAR *)(state->next);	454	state->distcode = (code const FAR *)(state->next);
453	state->distbits = 6;	455	state->distbits = 6;
454	ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,	456	ret = inflate_table_safe(DISTS, state->lens + state->nlen, state->ndist,
455	&(state->next), &(state->distbits), state->work);	457	&(state->next), ENOUGH - (unsigned) (state->next - state->codes),
		458	&(state->distbits), state->work);
456	if (ret) {	459	if (ret) {
457	strm->msg = (char *)"invalid distances set";	460	strm->msg = (char *)"invalid distances set";
458	state->mode = BAD;	461	state->mode = BAD;

Lines 207-220 Link Here

(-)zlib-1.2.2.3-orig/inflate.c (-6 / +9 lines)
207	next = fixed;	207	next = fixed;
208	lenfix = next;	208	lenfix = next;
209	bits = 9;	209	bits = 9;
210	inflate_table(LENS, state->lens, 288, &(next), &(bits), state->work);	210	inflate_table_safe(LENS, state->lens, 288, &(next), 512, &(bits), state->work);
211		211
212	/* distance table */	212	/* distance table */
213	sym = 0;	213	sym = 0;
214	while (sym < 32) state->lens[sym++] = 5;	214	while (sym < 32) state->lens[sym++] = 5;
215	distfix = next;	215	distfix = next;
216	bits = 5;	216	bits = 5;
217	inflate_table(DISTS, state->lens, 32, &(next), &(bits), state->work);	217	inflate_table_safe(DISTS, state->lens, 32, &(next), 32, &(bits), state->work);
218		218
219	/* do this just once */	219	/* do this just once */
220	virgin = 0;	220	virgin = 0;
Lines 846-852 Link Here
846	state->next = state->codes;	846	state->next = state->codes;
847	state->lencode = (code const FAR *)(state->next);	847	state->lencode = (code const FAR *)(state->next);
848	state->lenbits = 7;	848	state->lenbits = 7;
849	ret = inflate_table(CODES, state->lens, 19, &(state->next),	849	ret = inflate_table_safe(CODES, state->lens, 19,
		850	&(state->next), ENOUGH,
850	&(state->lenbits), state->work);	851	&(state->lenbits), state->work);
851	if (ret) {	852	if (ret) {
852	strm->msg = (char *)"invalid code lengths set";	853	strm->msg = (char *)"invalid code lengths set";
Lines 912-918 Link Here
912	state->next = state->codes;	913	state->next = state->codes;
913	state->lencode = (code const FAR *)(state->next);	914	state->lencode = (code const FAR *)(state->next);
914	state->lenbits = 9;	915	state->lenbits = 9;
915	ret = inflate_table(LENS, state->lens, state->nlen, &(state->next),	916	ret = inflate_table_safe(LENS, state->lens, state->nlen,
		917	&(state->next), ENOUGH,
916	&(state->lenbits), state->work);	918	&(state->lenbits), state->work);
917	if (ret) {	919	if (ret) {
918	strm->msg = (char *)"invalid literal/lengths set";	920	strm->msg = (char *)"invalid literal/lengths set";
Lines 921-928 Link Here
921	}	923	}
922	state->distcode = (code const FAR *)(state->next);	924	state->distcode = (code const FAR *)(state->next);
923	state->distbits = 6;	925	state->distbits = 6;
924	ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist,	926	ret = inflate_table_safe(DISTS, state->lens + state->nlen, state->ndist,
925	&(state->next), &(state->distbits), state->work);	927	&(state->next), ENOUGH - (unsigned) (state->next - state->codes),
		928	&(state->distbits), state->work);
926	if (ret) {	929	if (ret) {
927	strm->msg = (char *)"invalid distances set";	930	strm->msg = (char *)"invalid distances set";
928	state->mode = BAD;	931	state->mode = BAD;