58 lines
1.4 KiB
Text
58 lines
1.4 KiB
Text
$NetBSD: patch-aa,v 1.4 2006/12/03 03:09:46 obache Exp $
|
|
|
|
--- src/huf.c.orig 2000-10-06 02:35:49.000000000 +0900
|
|
+++ src/huf.c
|
|
@@ -332,7 +332,7 @@ read_pt_len(nn, nbit, i_special)
|
|
}
|
|
else {
|
|
i = 0;
|
|
- while (i < n) {
|
|
+ while (i < MIN(n, NPT)) {
|
|
c = bitbuf >> (16 - 3);
|
|
if (c == 7) {
|
|
unsigned short mask = 1 << (16 - 4);
|
|
@@ -345,7 +345,7 @@ read_pt_len(nn, nbit, i_special)
|
|
pt_len[i++] = c;
|
|
if (i == i_special) {
|
|
c = getbits(2);
|
|
- while (--c >= 0)
|
|
+ while (--c >= 0 && i < NPT)
|
|
pt_len[i++] = 0;
|
|
}
|
|
}
|
|
@@ -370,7 +370,7 @@ read_c_len( /* void */ )
|
|
c_table[i] = c;
|
|
} else {
|
|
i = 0;
|
|
- while (i < n) {
|
|
+ while (i < MIN(n,NC)) {
|
|
c = pt_table[bitbuf >> (16 - 8)];
|
|
if (c >= NT) {
|
|
unsigned short mask = 1 << (16 - 9);
|
|
@@ -380,7 +380,7 @@ read_c_len( /* void */ )
|
|
else
|
|
c = left[c];
|
|
mask >>= 1;
|
|
- } while (c >= NT);
|
|
+ } while (c >= NT && (mask || c!= left[c])); /* CVE-2006-4338 */
|
|
}
|
|
fillbuf(pt_len[c]);
|
|
if (c <= 2) {
|
|
@@ -427,7 +427,7 @@ decode_c_st1( /*void*/ )
|
|
else
|
|
j = left[j];
|
|
mask >>= 1;
|
|
- } while (j >= NC);
|
|
+ } while (j >= NC && (mask || j != left[j])); /* CVE-2006-4338 */
|
|
fillbuf(c_len[j] - 12);
|
|
}
|
|
return j;
|
|
@@ -451,7 +451,7 @@ decode_p_st1( /* void */ )
|
|
else
|
|
j = left[j];
|
|
mask >>= 1;
|
|
- } while (j >= np);
|
|
+ } while (j >= np && (mask || j != left[j])); /* CVE-2006-4338 */
|
|
fillbuf(pt_len[j] - 8);
|
|
}
|
|
if (j != 0)
|