[PATCH] Update in-kernel zlib routines (CAN-2005-2458, CAN-2005-2459)

Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html CAN-2005-2458 b) http://bugs.gentoo.org/show_bug.cgi?id=94584 CAN-2005-2459 Signed-off-by: Tim Yamin <plasmaroo@gentoo.org> Signed-off-by: Tavis Ormandy <taviso@gentoo.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

[PATCH] Update in-kernel zlib routines (CAN-2005-2458, CAN-2005-2459)
Fix outstanding security bugs in the Linux zlib implementations. See: a) http://sources.redhat.com/ml/bug-gnu-utils/1999-06/msg00183.html CAN-2005-2458 b) http://bugs.gentoo.org/show_bug.cgi?id=94584 CAN-2005-2459 Signed-off-by: Tim Yamin <plasmaroo@gentoo.org> Signed-off-by: Tavis Ormandy <taviso@gentoo.org> Signed-off-by: Chris Wright <chrisw@osdl.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
88560531 · Tim Yamin · Chris Wright · 8f5a9b18 · 88560531 · 88560531
Commit 88560531 authored Jul 25, 2005 by Tim Yamin Committed by Chris Wright Aug 14, 2005
Hide whitespace changes
Inline Side-by-side

Showing with 12 additions and 9 deletions

arch/ppc64/boot/zlib.c arch/ppc64/boot/zlib.c +2 -1

lib/inflate.c lib/inflate.c +9 -7

lib/zlib_inflate/inftrees.c lib/zlib_inflate/inftrees.c +1 -1

No files found.
--- a/arch/ppc64/boot/zlib.c
+++ b/arch/ppc64/boot/zlib.c
@@ -1307,7 +1307,7 @@ local int huft_build(
  {
    *t = (inflate_huft *)Z_NULL;
    *m = 0;
-    return Z_OK;
+    return Z_DATA_ERROR;
  }


@@ -1351,6 +1351,7 @@ local int huft_build(
    if ((j = *p++) != 0)
      v[x[j]++] = i;
  } while (++i < n);
+  n = x[g];			/* set n to length of v */


  /* Generate the Huffman codes and for each, make the table entries */

--- a/lib/inflate.c
+++ b/lib/inflate.c
@@ -326,7 +326,7 @@ DEBG("huft1 ");
  {
    *t = (struct huft *)NULL;
    *m = 0;
-    return 0;
+    return 2;
  }

 DEBG("huft2 ");
@@ -374,6 +374,7 @@ DEBG("huft5 ");
    if ((j = *p++) != 0)
      v[x[j]++] = i;
  } while (++i < n);
+  n = x[g];                   /* set n to length of v */

 DEBG("h6 ");

@@ -410,12 +411,13 @@ DEBG1("1 ");
 DEBG1("2 ");
          f -= a + 1;           /* deduct codes from patterns left */
          xp = c + k;
-          while (++j < z)       /* try smaller tables up to z bits */
-          {
-            if ((f <<= 1) <= *++xp)
-              break;            /* enough codes to use up j bits */
-            f -= *xp;           /* else deduct codes from patterns */
-          }
+          if (j < z)
+            while (++j < z)       /* try smaller tables up to z bits */
+            {
+              if ((f <<= 1) <= *++xp)
+                break;            /* enough codes to use up j bits */
+              f -= *xp;           /* else deduct codes from patterns */
+            }
        }
 DEBG1("3 ");
        z = 1 << j;             /* table entries for j-bit table */

--- a/lib/zlib_inflate/inftrees.c
+++ b/lib/zlib_inflate/inftrees.c
@@ -141,7 +141,7 @@ static int huft_build(
  {
    *t = NULL;
    *m = 0;
-    return Z_OK;
+    return Z_DATA_ERROR;
  }