suse_patch2_gzip.diff   [plain text]

--- inflate.c
+++ inflate.c
@@ -337,7 +337,7 @@
   {
     *t = (struct huft *)NULL;
     *m = 0;
-    return 0;
+    return 2;
   }
 
 
--- unlzh.c
+++ unlzh.c
@@ -69,11 +69,7 @@
 #define NT (CODE_BIT + 3)
 #define PBIT 4  /* smallest integer such that (1U << PBIT) > NP */
 #define TBIT 5  /* smallest integer such that (1U << TBIT) > NT */
-#if NT > NP
-# define NPT NT
-#else
-# define NPT NP
-#endif
+#define NPT (1<<TBIT)
 
 /* local ush left[2 * NC - 1]; */
 /* local ush right[2 * NC - 1]; */
@@ -179,6 +175,8 @@
 	if ((len = bitlen[ch]) == 0) continue;
 	nextcode = start[len] + weight[len];
 	if (len <= (unsigned)tablebits) {
+	    if (nextcode > 1 << tablebits)
+		error("Bad table\n");
 	    for (i = start[len]; i < nextcode; i++) table[i] = ch;
 	} else {
 	    k = start[len];
@@ -223,6 +221,8 @@
 	    if (c == 7) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
 		while (mask & bitbuf) {  mask >>= 1;  c++;  }
+		if (c > 16)
+		    error("Bad table\n");
 	    }
 	    fillbuf((c < 7) ? 3 : c - 3);
 	    pt_len[i++] = c;
--- unpack.c
+++ unpack.c
@@ -97,6 +97,7 @@
     int len;  /* bit length */
     int base; /* base offset for a sequence of leaves */
     int n;
+    int max_leaves;
 
     /* Read the original input size, MSB first */
     orig_len = 0;
@@ -109,11 +110,15 @@
 
     /* Get the number of leaves at each bit length */
     n = 0;
+    max_leaves = 1;
     for (len = 1; len <= max_len; len++) {
 	leaves[len] = (int)get_byte();
+	if (leaves[len] > max_leaves - (len == max_len))
+	    error("too many leaves in Huffman tree");
+	max_leaves = (max_leaves - leaves[len] + 1) * 2 - 1;
 	n += leaves[len];
     }
-    if (n > LITERALS) {
+    if (n >= LITERALS) {
 	error("too many leaves in Huffman tree");
     }
     Trace((stderr, "orig_len %lu, max_len %d, leaves %d\n",