avoid creating an undersized buffer for the hufts table

A malformed input file can cause gzip to crash with a segmentation violation or hang in an endless loop. Reported in <http://bugs.debian.org/507263>. * NEWS (Bug fixes): Mention it.
author: Thiemo Nagel <thiemo.nagel@ph.tum.de> 2009-08-16 16:48:37 +0200
committer: Jim Meyering <meyering@redhat.com> 2009-08-18 09:28:06 +0200
commit: 39a362ae9d9b007473381dba5032f4dfc1744cf2 (patch)
tree: 83234717daa5b115400a424d37e0f33627f02968 /inflate.c
parent: 3fe0caeada6aa3abca87b5099594bd87e5dfccfe (diff)
download: gzip-39a362ae9d9b007473381dba5032f4dfc1744cf2.tar.gz
1 files changed, 4 insertions, 2 deletions
diff --git a/inflate.c b/inflate.c
index 7dd630a..2f8670d 100644
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;
author	Thiemo Nagel <thiemo.nagel@ph.tum.de>	2009-08-16 16:48:37 +0200
committer	Jim Meyering <meyering@redhat.com>	2009-08-18 09:28:06 +0200
commit	39a362ae9d9b007473381dba5032f4dfc1744cf2 (patch)
tree	83234717daa5b115400a424d37e0f33627f02968 /inflate.c
parent	3fe0caeada6aa3abca87b5099594bd87e5dfccfe (diff)
download	gzip-39a362ae9d9b007473381dba5032f4dfc1744cf2.tar.gz