archivers/lha/patches/patch-ab

   1 $NetBSD: patch-ab,v 1.6 2006/12/03 03:09:46 obache Exp $
   2
   3 --- src/maketbl.c.orig  2000-10-04 23:57:38.000000000 +0900
   4 +++ src/maketbl.c
   5 @@ -32,8 +32,15 @@ make_table(nchar, bitlen, tablebits, tab
   6         }
   7
   8         /* count */
   9 -       for (i = 0; i < nchar; i++)
  10 -               count[bitlen[i]]++;
  11 +       for (i = 0; i < nchar; i++) {
  12 +               if (bitlen[i] > 16) {
  13 +                       /* CVE-2006-4335 */
  14 +                       error("Bad table (case a)");
  15 +                       exit(1);
  16 +               }
  17 +               else
  18 +                       count[bitlen[i]]++;
  19 +       }
  20
  21         /* calculate first code */
  22         total = 0;
  23 @@ -41,8 +48,10 @@ make_table(nchar, bitlen, tablebits, tab
  24                 start[i] = total;
  25                 total += weight[i] * count[i];
  26         }
  27 -       if ((total & 0xffff) != 0)
  28 +       if ((total & 0xffff) != 0 || tablebits > 16) { /* 16 for weight below */
  29                 error("make_table()", "Bad table (5)\n");
  30 +               exit(1);
  31 +       }
  32
  33         /* shift data for make table. */
  34         m = 16 - tablebits;
  35 @@ -53,7 +62,7 @@ make_table(nchar, bitlen, tablebits, tab
  36
  37         /* initialize */
  38         j = start[tablebits + 1] >> m;
  39 -       k = 1 << tablebits;
  40 +       k = MIN(1 << tablebits, 4096);
  41         if (j != 0)
  42                 for (i = j; i < k; i++)
  43                         table[i] = 0;
  44 @@ -66,12 +75,19 @@ make_table(nchar, bitlen, tablebits, tab
  45                 l = start[k] + weight[k];
  46                 if (k <= tablebits) {
  47                         /* code in table */
  48 +                       l = MIN(l, 4096);
  49                         for (i = start[k]; i < l; i++)
  50                                 table[i] = j;
  51                 }
  52                 else {
  53                         /* code not in table */
  54 -                       p = &table[(i = start[k]) >> m];
  55 +                       i = start[k];
  56 +                       if ((i >> m) > 4096) {
  57 +                               /* CVE-2006-4337 */
  58 +                               error("Bad table (case c)");
  59 +                               exit(1);
  60 +                       }
  61 +                       p = &table[i >> m];
  62                         i <<= tablebits;
  63                         n = k - tablebits;
  64                         /* make tree (n length) */