Package: gzip Version: 1.3.12-6 Severity: normal Tags: patch
A specific malformed input file (cf. attachment) either leads to gzip crashing with segmentation violation or hanging in an endless loop. Attached patch fixes the problem. The issue doesn't look exploitable to me, but I'm not an expert. Kind regards, Thiemo Nagel -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 2.6.27.4-tn4 (SMP w/2 CPU cores; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages gzip depends on: ii debianutils 2.30 Miscellaneous utilities specific t ii libc6 2.7-16 GNU C Library: Shared libraries gzip recommends no packages. Versions of packages gzip suggests: ii less 418-1 Pager program similar to more -- no debconf information
segv.gz
Description: GNU Zip compressed data
--- gzip-1.3.12/inflate.c 2006-12-21 00:30:17.000000000 +0100
+++ gzip-1.3.12-fixed/inflate.c 2008-11-29 14:23:32.000000000 +0100
@@ -335,13 +336,15 @@
} while (--i);
if (c[0] == n) /* null input--all zero length codes */
{
- q = (struct huft *) malloc (2 * sizeof *q);
+ q = (struct huft *) malloc (3 * sizeof *q);
if (!q)
return 3;
- hufts += 2;
+ hufts += 3;
q[0].v.t = (struct huft *) NULL;
q[1].e = 99; /* invalid code marker */
q[1].b = 1;
+ q[2].e = 99; /* invalid code marker */
+ q[2].b = 1;
*t = q + 1;
*m = 1;
return 0;
