1 |
naota 12/04/02 10:22:58 |
2 |
|
3 |
Added: freebsd-ubin-8.2-compress.patch |
4 |
Log: |
5 |
Add patch to fix CVE-2011-2895. #408887 |
6 |
|
7 |
(Portage version: 2.2.0_alpha89/cvs/FreeBSD i386) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 sys-freebsd/freebsd-ubin/files/freebsd-ubin-8.2-compress.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-freebsd/freebsd-ubin/files/freebsd-ubin-8.2-compress.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/sys-freebsd/freebsd-ubin/files/freebsd-ubin-8.2-compress.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: freebsd-ubin-8.2-compress.patch |
16 |
=================================================================== |
17 |
Index: usr.bin/compress/zopen.c |
18 |
=================================================================== |
19 |
--- usr.bin/compress/zopen.c (revision 225020) |
20 |
+++ usr.bin/compress/zopen.c (working copy) |
21 |
@@ -486,7 +486,7 @@ zread(void *cookie, char *rbp, int num) |
22 |
block_compress = maxbits & BLOCK_MASK; |
23 |
maxbits &= BIT_MASK; |
24 |
maxmaxcode = 1L << maxbits; |
25 |
- if (maxbits > BITS) { |
26 |
+ if (maxbits > BITS || maxbits < 12) { |
27 |
errno = EFTYPE; |
28 |
return (-1); |
29 |
} |
30 |
@@ -513,17 +513,28 @@ zread(void *cookie, char *rbp, int num) |
31 |
for (code = 255; code >= 0; code--) |
32 |
tab_prefixof(code) = 0; |
33 |
clear_flg = 1; |
34 |
- free_ent = FIRST - 1; |
35 |
- if ((code = getcode(zs)) == -1) /* O, untimely death! */ |
36 |
- break; |
37 |
+ free_ent = FIRST; |
38 |
+ oldcode = -1; |
39 |
+ continue; |
40 |
} |
41 |
incode = code; |
42 |
|
43 |
- /* Special case for KwKwK string. */ |
44 |
+ /* Special case for kWkWk string. */ |
45 |
if (code >= free_ent) { |
46 |
+ if (code > free_ent || oldcode == -1) { |
47 |
+ /* Bad stream. */ |
48 |
+ errno = EINVAL; |
49 |
+ return (-1); |
50 |
+ } |
51 |
*stackp++ = finchar; |
52 |
code = oldcode; |
53 |
} |
54 |
+ /* |
55 |
+ * The above condition ensures that code < free_ent. |
56 |
+ * The construction of tab_prefixof in turn guarantees that |
57 |
+ * each iteration decreases code and therefore stack usage is |
58 |
+ * bound by 1 << BITS - 256. |
59 |
+ */ |
60 |
|
61 |
/* Generate output characters in reverse order. */ |
62 |
while (code >= 256) { |
63 |
@@ -540,7 +551,7 @@ middle: do { |
64 |
} while (stackp > de_stack); |
65 |
|
66 |
/* Generate the new entry. */ |
67 |
- if ((code = free_ent) < maxmaxcode) { |
68 |
+ if ((code = free_ent) < maxmaxcode && oldcode != -1) { |
69 |
tab_prefixof(code) = (u_short) oldcode; |
70 |
tab_suffixof(code) = finchar; |
71 |
free_ent = code + 1; |