blob: 368b3eeb122dc1419576be21425c78827858eaea (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
|
http://bugs.gentoo.org/213761
fix for CVE-2008-0888
--- inflate.c
+++ inflate.c
@@ -983,6 +983,7 @@
unsigned l; /* last length */
unsigned m; /* mask for bit lengths table */
unsigned n; /* number of lengths to get */
+ struct huft *tlp;
struct huft *tl; /* literal/length code table */
struct huft *td; /* distance code table */
unsigned bl; /* lookup bits for tl */
@@ -996,6 +997,8 @@
int retval = 0; /* error code returned: initialized to "no error" */
+ td = tlp = tl = (struct huft *)NULL;
+
/* make local bit buffer */
Trace((stderr, "\ndynamic block"));
b = G.bb;
@@ -1047,9 +1050,9 @@
while (i < n)
{
NEEDBITS(bl)
- j = (td = tl + ((unsigned)b & m))->b;
+ j = (tlp = tl + ((unsigned)b & m))->b;
DUMPBITS(j)
- j = td->v.n;
+ j = tlp->v.n;
if (j < 16) /* length of code in bits (0..15) */
ll[i++] = l = j; /* save last length in l */
else if (j == 16) /* repeat last length 3 to 6 times */
|