diff options
author | Thiemo Nagel <thiemo.nagel@ph.tum.de> | 2009-08-16 16:48:37 +0200 |
---|---|---|
committer | Jim Meyering <meyering@redhat.com> | 2009-08-18 09:28:06 +0200 |
commit | 39a362ae9d9b007473381dba5032f4dfc1744cf2 (patch) | |
tree | 83234717daa5b115400a424d37e0f33627f02968 /inflate.c | |
parent | 3fe0caeada6aa3abca87b5099594bd87e5dfccfe (diff) | |
download | gzip-39a362ae9d9b007473381dba5032f4dfc1744cf2.tar.gz |
avoid creating an undersized buffer for the hufts table
A malformed input file can cause gzip to crash with a segmentation
violation or hang in an endless loop.
Reported in <http://bugs.debian.org/507263>.
* NEWS (Bug fixes): Mention it.
Diffstat (limited to 'inflate.c')
-rw-r--r-- | inflate.c | 6 |
1 files changed, 4 insertions, 2 deletions
@@ -335,13 +335,15 @@ int *m; /* maximum lookup bits, returns actual */ } while (--i); if (c[0] == n) /* null input--all zero length codes */ { - q = (struct huft *) malloc (2 * sizeof *q); + q = (struct huft *) malloc (3 * sizeof *q); if (!q) return 3; - hufts += 2; + hufts += 3; q[0].v.t = (struct huft *) NULL; q[1].e = 99; /* invalid code marker */ q[1].b = 1; + q[2].e = 99; /* invalid code marker */ + q[2].b = 1; *t = q + 1; *m = 1; return 0; |