/* ------------------------------------------------------------------------ */
#include "lha.h"
-#include <assert.h>
-
#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
case LZHUFF6_DICBIT: pbit = 5; np = LZHUFF6_DICBIT + 1; break;
case LZHUFF7_DICBIT: pbit = 5; np = LZHUFF7_DICBIT + 1; break;
default:
- assert(0);
+ fatal_error("Cannot use %d bytes dictionary", 1 << dicbit);
}
-
+
for (i = 0; i < NC; i++)
c_freq[i] = 0;
for (i = 0; i < np; i++)
}
else {
i = 0;
- while (i < n) {
+ while (i < MIN(n, NPT)) {
c = peekbits(3);
if (c != 7)
fillbuf(3);
pt_len[i++] = c;
if (i == i_special) {
c = getbits(2);
- while (--c >= 0)
+ while (--c >= 0 && i < NPT)
pt_len[i++] = 0;
}
}
c_table[i] = c;
} else {
i = 0;
- while (i < n) {
+ while (i < MIN(n,NC)) {
c = pt_table[peekbits(8)];
if (c >= NT) {
unsigned short mask = 1 << (16 - 9);
else
c = left[c];
mask >>= 1;
- } while (c >= NT);
+ } while (c >= NT && (mask || c != left[c])); /* CVE-2006-4338 */
}
fillbuf(pt_len[c]);
if (c <= 2) {
else
j = left[j];
mask >>= 1;
- } while (j >= NC);
+ } while (j >= NC && (mask || j != left[j])); /* CVE-2006-4338 */
fillbuf(c_len[j] - 12);
}
return j;
else
j = left[j];
mask >>= 1;
- } while (j >= np);
+ } while (j >= np && (mask || j != left[j])); /* CVE-2006-4338 */
fillbuf(pt_len[j] - 8);
}
if (j != 0)
case LZHUFF6_DICBIT: pbit = 5; np = LZHUFF6_DICBIT + 1; break;
case LZHUFF7_DICBIT: pbit = 5; np = LZHUFF7_DICBIT + 1; break;
default:
- assert(0);
+ fatal_error("Cannot use %d bytes dictionary", 1 << dicbit);
}
init_getbits();
OSDN Git Service
