diff options
author | bz <bz@FreeBSD.org> | 2011-09-28 08:47:17 +0000 |
---|---|---|
committer | bz <bz@FreeBSD.org> | 2011-09-28 08:47:17 +0000 |
commit | 2e8e044c2fd777a22fe0e18a64666670c4b72dd7 (patch) | |
tree | 6b2a5e897537e8defdf4089f141f835461cd9343 /usr.bin/gzip | |
parent | 38b4a9842482e6817e8229e2fb567a4431b1924b (diff) | |
download | FreeBSD-src-2e8e044c2fd777a22fe0e18a64666670c4b72dd7.zip FreeBSD-src-2e8e044c2fd777a22fe0e18a64666670c4b72dd7.tar.gz |
Fix handling of corrupt compress(1)ed data. [11:04]
Add missing length checks on unix socket addresses. [11:05]
Approved by: so (cperciva)
Approved by: re (kensmith)
Security: FreeBSD-SA-11:04.compress
Security: CVE-2011-2895 [11:04]
Security: FreeBSD-SA-11:05.unix
Diffstat (limited to 'usr.bin/gzip')
-rw-r--r-- | usr.bin/gzip/zuncompress.c | 31 |
1 files changed, 19 insertions, 12 deletions
diff --git a/usr.bin/gzip/zuncompress.c b/usr.bin/gzip/zuncompress.c index f68ba59..1d0b66f 100644 --- a/usr.bin/gzip/zuncompress.c +++ b/usr.bin/gzip/zuncompress.c @@ -247,7 +247,7 @@ zread(void *cookie, char *rbp, int num) zs->zs_block_compress = zs->zs_maxbits & BLOCK_MASK; zs->zs_maxbits &= BIT_MASK; zs->zs_maxmaxcode = 1L << zs->zs_maxbits; - if (zs->zs_maxbits > BITS) { + if (zs->zs_maxbits > BITS || zs->zs_maxbits < 12) { errno = EFTYPE; return (-1); } @@ -259,13 +259,7 @@ zread(void *cookie, char *rbp, int num) } zs->zs_free_ent = zs->zs_block_compress ? FIRST : 256; - zs->u.r.zs_finchar = zs->u.r.zs_oldcode = getcode(zs); - if (zs->u.r.zs_oldcode == -1) /* EOF already? */ - return (0); /* Get out of here */ - - /* First code must be 8 bits = char. */ - *bp++ = (u_char)zs->u.r.zs_finchar; - count--; + zs->u.r.zs_oldcode = -1; zs->u.r.zs_stackp = de_stack; while ((zs->u.r.zs_code = getcode(zs)) > -1) { @@ -275,17 +269,29 @@ zread(void *cookie, char *rbp, int num) zs->u.r.zs_code--) tab_prefixof(zs->u.r.zs_code) = 0; zs->zs_clear_flg = 1; - zs->zs_free_ent = FIRST - 1; - if ((zs->u.r.zs_code = getcode(zs)) == -1) /* O, untimely death! */ - break; + zs->zs_free_ent = FIRST; + zs->u.r.zs_oldcode = -1; + continue; } zs->u.r.zs_incode = zs->u.r.zs_code; /* Special case for KwKwK string. */ if (zs->u.r.zs_code >= zs->zs_free_ent) { + if (zs->u.r.zs_code > zs->zs_free_ent || + zs->u.r.zs_oldcode == -1) { + /* Bad stream. */ + errno = EINVAL; + return (-1); + } *zs->u.r.zs_stackp++ = zs->u.r.zs_finchar; zs->u.r.zs_code = zs->u.r.zs_oldcode; } + /* + * The above condition ensures that code < free_ent. + * The construction of tab_prefixof in turn guarantees that + * each iteration decreases code and therefore stack usage is + * bound by 1 << BITS - 256. + */ /* Generate output characters in reverse order. */ while (zs->u.r.zs_code >= 256) { @@ -302,7 +308,8 @@ middle: do { } while (zs->u.r.zs_stackp > de_stack); /* Generate the new entry. */ - if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode) { + if ((zs->u.r.zs_code = zs->zs_free_ent) < zs->zs_maxmaxcode && + zs->u.r.zs_oldcode != -1) { tab_prefixof(zs->u.r.zs_code) = (u_short) zs->u.r.zs_oldcode; tab_suffixof(zs->u.r.zs_code) = zs->u.r.zs_finchar; zs->zs_free_ent = zs->u.r.zs_code + 1; |