Improved patch for CVE-2010-0001

bug-gzip

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Improved patch for CVE-2010-0001

From:	Geoffrey Keating
Subject:	Improved patch for CVE-2010-0001
Date:	Mon, 18 Oct 2010 12:01:00 -0700

While examining the patch for CVE-2010-0001 in a clean room environment, we 
found a non-security issue.  Here is the existing patch:

-       e = insize-(o = (posbits>>3));
+       o = posbits >> 3;
+       e = o <= insize ? insize - o : 0;

Suppose a CLEAR code is found near the end of the in-memory buffer but there is 
still more data to be read.  (This must be extremely rare.)  In that case what 
you want to do is re-fill the buffer and then skip to the next block of 8 
codes, which might involve ignoring some bytes at the start of the new buffer.  
The original patch will start at the beginning of the buffer ('posbits=0'), 
which may be too soon.

The following might be more suitable:

--- unlzw.c
+++ unlzw.c
@@ -253,8 +253,14 @@ int unlzw(in, out)
        for (i = 0 ; i < e ; ++i) {
            inbuf[i] = inbuf[i+o];
        }
-       insize = e;
+
+       insize = 0;
        posbits = 0;
+       if (e >= 0) {
+               insize = e;
+       } else {
+               posbits = abs(e)<<3;
+       }
 
        if (insize < INBUF_EXTRA) {
            rsize = read_buffer (in, (char *) inbuf + insize, INBUFSIZ);

[Prev in Thread]

Current Thread

[Next in Thread]

Improved patch for CVE-2010-0001, Geoffrey Keating <=

Prev by Date: gzip 1.3.13 still displays a wrong uncompressed file size
Next by Date: Error Unziping files
Previous by thread: gzip 1.3.13 still displays a wrong uncompressed file size
Next by thread: Error Unziping files
Index(es):
- Date
- Thread