diff options
| author | Tomas Hoger <thoger@redhat.com> | 2011-09-11 09:13:45 +0200 |
|---|---|---|
| committer | Werner Lemberg <wl@gnu.org> | 2011-09-11 09:13:45 +0200 |
| commit | 83cb6c0049f6cc5ea3f27d1d90891472f288ac5e (patch) | |
| tree | d6689b08b0f598154ea91ddf5754bf575fc29797 | |
| parent | 86c3c69c15dfc46238e2e0822876982b21aa53f9 (diff) | |
| download | freetype2-83cb6c0049f6cc5ea3f27d1d90891472f288ac5e.tar.gz | |
Add explicit LZW decompression stack size limit.
Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
constructed correctly. It's even less than that, see e.g.
libarchive code comment for a better size upper bound:
http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121
This patch adds explicit stack size limit, enforced when stack is
realloced.
An alternative is to ensure that code < state->prefix[code - 256]
when traversing prefix table. Such check is less efficient and
should not be required if prefix table is constructed correctly in
the first place.
* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.
| -rw-r--r-- | ChangeLog | 20 | ||||
| -rw-r--r-- | src/lzw/ftzopen.c | 9 |
2 files changed, 29 insertions, 0 deletions
@@ -1,5 +1,25 @@ 2011-09-11 Tomas Hoger <thoger@redhat.com> + Add explicit LZW decompression stack size limit. + + Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is + constructed correctly. It's even less than that, see e.g. + libarchive code comment for a better size upper bound: + + http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121 + + This patch adds explicit stack size limit, enforced when stack is + realloced. + + An alternative is to ensure that code < state->prefix[code - 256] + when traversing prefix table. Such check is less efficient and + should not be required if prefix table is constructed correctly in + the first place. + + * src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it. + +2011-09-11 Tomas Hoger <thoger@redhat.com> + Protect against loops in the prefix table. LZW decompressor did not sufficiently check codes read from the diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c index b5a6226fc..f55ee3a08 100644 --- a/src/lzw/ftzopen.c +++ b/src/lzw/ftzopen.c @@ -124,6 +124,15 @@ old_size = 0; } + /* requirement of the character stack larger than 1<<LZW_MAX_BITS */ + /* implies bug in the decompression code */ + if ( new_size > ( 1 << LZW_MAX_BITS ) ) + { + new_size = 1 << LZW_MAX_BITS; + if ( new_size == old_size ) + return -1; + } + if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) ) return -1; |