diff options
| author | Paul Eggert <eggert@trombone> | 2022-06-28 22:30:08 -0500 |
|---|---|---|
| committer | Paul Eggert <eggert@cs.ucla.edu> | 2022-06-28 22:42:11 -0500 |
| commit | 4b58eee79d3af3647adb4c78938d83970e788975 (patch) | |
| tree | db9fdecf735f86679870c71d0e544131b5c0faf8 | |
| parent | 85e0910e6ec2b81ff4b9232015a30b369aef8c0c (diff) | |
| download | gzip-4b58eee79d3af3647adb4c78938d83970e788975.tar.gz | |
gzip: detect invalid input
Problem reported by Young Mo Kang and fix from Mark Adler (Bug#56247).
* inflate.c: Include stdbool.h.
(fresh): New static var.
* inflate.c (flush_output): Clear it.
(inflate): Set it.
(inflate_codes): Fail if the offset is outside a fresh input window.
| -rw-r--r-- | inflate.c | 7 |
1 files changed, 6 insertions, 1 deletions
@@ -117,6 +117,7 @@ #include <config.h> +#include <stdbool.h> #include <stdlib.h> #include "tailor.h" @@ -153,8 +154,9 @@ static int huft_free (struct huft *); "uch *slide;" and then malloc'ed in the latter case. The definition must be in unzip.h, included above. */ /* unsigned wp; current position in slide */ +static bool fresh; #define wp outcnt -#define flush_output(w) (wp=(w),flush_window()) +#define flush_output(w) (fresh = false, wp = (w), flush_window ()) /* Tables for deflate from PKZIP's appnote.txt. */ static unsigned border[] = { /* Order of the bit length code lengths */ @@ -582,6 +584,8 @@ inflate_codes(struct huft *tl, struct huft *td, int bl, int bd) NEEDBITS(e) d = w - t->v.n - ((unsigned)b & mask_bits[e]); DUMPBITS(e) + if (fresh && w <= d) + return 1; Tracevv ((stderr, "\\[%u,%u]", w - d, n)); /* do the copy */ @@ -964,6 +968,7 @@ inflate(void) wp = 0; bk = 0; bb = 0; + fresh = true; /* decompress until the last block */ |