avoid creating an undersized buffer for the hufts table

A malformed input file can cause gzip to crash with a segmentation
violation or hang in an endless loop.
Reported in <http://bugs.debian.org/507263>.
* NEWS (Bug fixes): Mention it.

diff --git a/NEWS b/NEWS
index 0e6918d1db76a3429320b2a24fa1e64e76bd3314..428c21463adfb9fb6c61d9792bd3cfc3f9d30a68 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ GNU gzip NEWS                                    -*- outline -*-
 
   gzip no longer ignores a close-induced write failure, e.g., on NFS
 
+  gzip -d no longer segfaults on certain invalid inputs
+
 
 Major changes in Gzip 1.3.12 (2007-04-13)
 

diff --git a/inflate.c b/inflate.c
index 7dd630a7e87459fbbc1020101649b07825a14ca0..2f8670d82c2c0f8eecd7d83fb2bfef092cefa04f 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;