summaryrefslogtreecommitdiff
path: root/debian/patches/CVE-2016-9843.diff
diff options
context:
space:
mode:
authorIgor Pashev <pashev.igor@gmail.com>2017-05-13 13:54:49 +0300
committerIgor Pashev <pashev.igor@gmail.com>2017-05-13 13:54:49 +0300
commit42156b5190f4fa150e1fab6777eb81e69d4db8c9 (patch)
tree3bf47de81cf1f89892789535a036d2d55d93a136 /debian/patches/CVE-2016-9843.diff
downloadgcc-6-debian.tar.gz
Imported gcc-6 (6.3.0-17)debian/6.3.0-17debian
Diffstat (limited to 'debian/patches/CVE-2016-9843.diff')
-rw-r--r--debian/patches/CVE-2016-9843.diff47
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/CVE-2016-9843.diff b/debian/patches/CVE-2016-9843.diff
new file mode 100644
index 0000000..ac1da9b
--- /dev/null
+++ b/debian/patches/CVE-2016-9843.diff
@@ -0,0 +1,47 @@
+commit d1d577490c15a0c6862473d7576352a9f18ef811
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed Sep 28 20:20:25 2016 -0700
+
+ Avoid pre-decrement of pointer in big-endian CRC calculation.
+
+ There was a small optimization for PowerPCs to pre-increment a
+ pointer when accessing a word, instead of post-incrementing. This
+ required prefacing the loop with a decrement of the pointer,
+ possibly pointing before the object passed. This is not compliant
+ with the C standard, for which decrementing a pointer before its
+ allocated memory is undefined. When tested on a modern PowerPC
+ with a modern compiler, the optimization no longer has any effect.
+ Due to all that, and per the recommendation of a security audit of
+ the zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this "optimization" was removed, in order to
+ avoid the possibility of undefined behavior.
+
+diff --git a/crc32.c b/crc32.c
+index 979a719..05733f4 100644
+--- a/src/zlib/crc32.c
++++ b/src/zlib/crc32.c
+@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len)
+ }
+
+ /* ========================================================================= */
+-#define DOBIG4 c ^= *++buf4; \
++#define DOBIG4 c ^= *buf4++; \
+ c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \
+ crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24]
+ #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4
+@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len)
+ }
+
+ buf4 = (const z_crc_t FAR *)(const void FAR *)buf;
+- buf4--;
+ while (len >= 32) {
+ DOBIG32;
+ len -= 32;
+@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len)
+ DOBIG4;
+ len -= 4;
+ }
+- buf4++;
+ buf = (const unsigned char FAR *)buf4;
+
+ if (len) do {