$NetBSD: patch-aa,v 1.4 2006/12/03 03:09:46 obache Exp $

--- src/huf.c.orig	2000-10-06 02:35:49.000000000 +0900
+++ src/huf.c
@@ -332,7 +332,7 @@ read_pt_len(nn, nbit, i_special)
 	}
 	else {
 		i = 0;
-		while (i < n) {
+		while (i < MIN(n, NPT)) {
 			c = bitbuf >> (16 - 3);
 			if (c == 7) {
 				unsigned short  mask = 1 << (16 - 4);
@@ -345,7 +345,7 @@ read_pt_len(nn, nbit, i_special)
 			pt_len[i++] = c;
 			if (i == i_special) {
 				c = getbits(2);
-				while (--c >= 0)
+				while (--c >= 0 && i < NPT)
 					pt_len[i++] = 0;
 			}
 		}
@@ -370,7 +370,7 @@ read_c_len( /* void */ )
 			c_table[i] = c;
 	} else {
 		i = 0;
-		while (i < n) {
+		while (i < MIN(n,NC)) {
 			c = pt_table[bitbuf >> (16 - 8)];
 			if (c >= NT) {
 				unsigned short  mask = 1 << (16 - 9);
@@ -380,7 +380,7 @@ read_c_len( /* void */ )
 					else
 						c = left[c];
 					mask >>= 1;
-				} while (c >= NT);
+				} while (c >= NT && (mask || c!= left[c])); /* CVE-2006-4338 */
 			}
 			fillbuf(pt_len[c]);
 			if (c <= 2) {
@@ -427,7 +427,7 @@ decode_c_st1( /*void*/ )
 			else
 				j = left[j];
 			mask >>= 1;
-		} while (j >= NC);
+		} while (j >= NC && (mask || j != left[j])); /* CVE-2006-4338 */
 		fillbuf(c_len[j] - 12);
 	}
 	return j;
@@ -451,7 +451,7 @@ decode_p_st1( /* void */ )
 			else
 				j = left[j];
 			mask >>= 1;
-		} while (j >= np);
+		} while (j >= np && (mask || j != left[j])); /* CVE-2006-4338 */
 		fillbuf(pt_len[j] - 8);
 	}
 	if (j != 0)