diff options
Diffstat (limited to 'debian/patches/CVE-2016-9843.diff')
| -rw-r--r-- | debian/patches/CVE-2016-9843.diff | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/debian/patches/CVE-2016-9843.diff b/debian/patches/CVE-2016-9843.diff new file mode 100644 index 0000000..ac1da9b --- /dev/null +++ b/debian/patches/CVE-2016-9843.diff @@ -0,0 +1,47 @@ +commit d1d577490c15a0c6862473d7576352a9f18ef811 +Author: Mark Adler <madler@alumni.caltech.edu> +Date: Wed Sep 28 20:20:25 2016 -0700 + + Avoid pre-decrement of pointer in big-endian CRC calculation. + + There was a small optimization for PowerPCs to pre-increment a + pointer when accessing a word, instead of post-incrementing. This + required prefacing the loop with a decrement of the pointer, + possibly pointing before the object passed. This is not compliant + with the C standard, for which decrementing a pointer before its + allocated memory is undefined. When tested on a modern PowerPC + with a modern compiler, the optimization no longer has any effect. + Due to all that, and per the recommendation of a security audit of + the zlib code by Trail of Bits and TrustInSoft, in support of the + Mozilla Foundation, this "optimization" was removed, in order to + avoid the possibility of undefined behavior. + +diff --git a/crc32.c b/crc32.c +index 979a719..05733f4 100644 +--- a/src/zlib/crc32.c ++++ b/src/zlib/crc32.c +@@ -278,7 +278,7 @@ local unsigned long crc32_little(crc, buf, len) + } + + /* ========================================================================= */ +-#define DOBIG4 c ^= *++buf4; \ ++#define DOBIG4 c ^= *buf4++; \ + c = crc_table[4][c & 0xff] ^ crc_table[5][(c >> 8) & 0xff] ^ \ + crc_table[6][(c >> 16) & 0xff] ^ crc_table[7][c >> 24] + #define DOBIG32 DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4; DOBIG4 +@@ -300,7 +300,6 @@ local unsigned long crc32_big(crc, buf, len) + } + + buf4 = (const z_crc_t FAR *)(const void FAR *)buf; +- buf4--; + while (len >= 32) { + DOBIG32; + len -= 32; +@@ -309,7 +308,6 @@ local unsigned long crc32_big(crc, buf, len) + DOBIG4; + len -= 4; + } +- buf4++; + buf = (const unsigned char FAR *)buf4; + + if (len) do { |