The gzip description is as good as the ChangeLog says it is -: "Set n to

length of v, to detect improper tables" and "Don't accidentally grow j
past z". The return 2 instead of the return 0 is so that we actually
error out if we also get inproper tables (for some reason the code
returned "OK" in such cases).

Fix outstanding security bugs in the Linux zlib implementations. See:

a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html
b) http://bugs.gentoo.org/show_bug.cgi?id=94584

Signed-off-by: Tim Yamin <plasmaroo@gentoo.org>
Signed-off-by: Tavis Ormandy <taviso@gentoo.org>

diff --git a/arch/ppc/boot/lib/zlib.c b/arch/ppc/boot/lib/zlib.c
index 6885ad9..5a1a226 100644 (file)
--- a/arch/ppc/boot/lib/zlib.c
+++ b/arch/ppc/boot/lib/zlib.c
@@ -1278,7 +1278,7 @@ z_stream *zs;           /* for zalloc function */
   {
     *t = (inflate_huft *)Z_NULL;
     *m = 0;
-    return Z_OK;
+    return Z_DATA_ERROR;
   }
 
 
@@ -1322,6 +1322,7 @@ z_stream *zs;           /* for zalloc function */
     if ((j = *p++) != 0)
       v[x[j]++] = i;
   } while (++i < n);
+  n = x[g];                    /* set n to length of v */
 
 
   /* Generate the Huffman codes and for each, make the table entries */

diff --git a/arch/ppc64/boot/zlib.c b/arch/ppc64/boot/zlib.c
index 2421377..ea3186c 100644 (file)
--- a/arch/ppc64/boot/zlib.c
+++ b/arch/ppc64/boot/zlib.c
@@ -1294,7 +1294,7 @@ z_stream *zs;           /* for zalloc function */
   {
     *t = (inflate_huft *)Z_NULL;
     *m = 0;
-    return Z_OK;
+    return Z_DATA_ERROR;
   }
 
 
@@ -1338,6 +1338,7 @@ z_stream *zs;           /* for zalloc function */
     if ((j = *p++) != 0)
       v[x[j]++] = i;
   } while (++i < n);
+  n = x[g];                    /* set n to length of v */
 
 
   /* Generate the Huffman codes and for each, make the table entries */

diff --git a/lib/inflate.c b/lib/inflate.c
index 771d227..2fa68b2 100644 (file)
--- a/lib/inflate.c
+++ b/lib/inflate.c
@@ -320,7 +320,7 @@ DEBG("huft1 ");
   {
     *t = (struct huft *)NULL;
     *m = 0;
-    return 0;
+    return 2;
   }
 
 DEBG("huft2 ");
@@ -368,6 +368,7 @@ DEBG("huft5 ");
     if ((j = *p++) != 0)
       v[x[j]++] = i;
   } while (++i < n);
+  n = x[g];                   /* set n to length of v */
 
 DEBG("h6 ");
 
@@ -404,12 +405,13 @@ DEBG1("1 ");
 DEBG1("2 ");
           f -= a + 1;           /* deduct codes from patterns left */
           xp = c + k;
-          while (++j < z)       /* try smaller tables up to z bits */
-          {
-            if ((f <<= 1) <= *++xp)
-              break;            /* enough codes to use up j bits */
-            f -= *xp;           /* else deduct codes from patterns */
-          }
+          if (j < z)
+            while (++j < z)       /* try smaller tables up to z bits */
+            {
+              if ((f <<= 1) <= *++xp)
+                break;            /* enough codes to use up j bits */
+              f -= *xp;           /* else deduct codes from patterns */
+            }
         }
 DEBG1("3 ");
         z = 1 << j;             /* table entries for j-bit table */

diff --git a/lib/zlib_inflate/inftrees.c b/lib/zlib_inflate/inftrees.c
index d3ea7ef..ab2c780 100644 (file)
--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -140,7 +140,7 @@ uIntf *v;               /* working area: values in order of bit length */
   {
     *t = (inflate_huft *)Z_NULL;
     *m = 0;
-    return Z_OK;
+    return Z_DATA_ERROR;
   }