From 39a362ae9d9b007473381dba5032f4dfc1744cf2 Mon Sep 17 00:00:00 2001
From: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Date: Sun, 16 Aug 2009 16:48:37 +0200
Subject: [PATCH] avoid creating an undersized buffer for the hufts table

A malformed input file can cause gzip to crash with a segmentation
violation or hang in an endless loop.
Reported in <http://bugs.debian.org/507263>.
* NEWS (Bug fixes): Mention it.
---
 NEWS      | 2 ++
 inflate.c | 6 ++++--
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 0e6918d..428c214 100644
--- a/NEWS
+++ b/NEWS
@@ -6,6 +6,8 @@ GNU gzip NEWS                                    -*- outline -*-
 
   gzip no longer ignores a close-induced write failure, e.g., on NFS
 
+  gzip -d no longer segfaults on certain invalid inputs
+
 
 Major changes in Gzip 1.3.12 (2007-04-13)
 
diff --git a/inflate.c b/inflate.c
index 7dd630a..2f8670d 100644
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;
-- 
2.47.2