* unlzw.c (unlzw): Avoid integer overflow.
Aki Helin reported the segfault along with an input to trigger the bug.
* NEWS (Bug fixes): Mention it.
** Bug fixes
+ gzip -d could segfault and/or clobber the stack, possibly leading to
+ arbitrary code execution. This affects x86_64 but not 32-bit systems.
+ This fixes CVE-2010-0001.
+ For more details, see http://bugzilla.redhat.com/554418
+
gzip -d would fail with a CRC error for some valid inputs.
So far, the only valid input known to exhibit this failure was
compressed "from FAT filesystem (MS-DOS, OS/2, NT)". In addition,
Darrel R. Hankerson hankedr@mail.auburn.edu
Mark Hanning-Lee markhl@romeo.caltech.edu
Lars Hecking st000002@hrz1.hrz.th-darmstadt.de
+Aki Helin aki.helin@iki.fi
Ruediger Helsch ruediger@ramz.ing.tu-bs.de
Mark C. Henderson mch@sqwest.wimsey.bc.ca
Karl Heuer karl@kelp.boston.ma.us
int o;
resetbuf:
- e = insize-(o = (posbits>>3));
+ o = posbits >> 3;
+ e = o <= insize ? insize - o : 0;
for (i = 0 ; i < e ; ++i) {
inbuf[i] = inbuf[i+o];