blob: cb1455918e4af8b638b72b8c1117b6e9c5a0ddd5 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
|
$NetBSD: patch-decode.c,v 1.2 2022/01/08 14:43:09 tnn Exp $
Fix CVE-2015-2782. Via Debian security-afl.patch.
Fix out-of-bounds read via Debian out-of-bounds-read.patch.
--- decode.c.orig 2022-01-08 14:27:21.037706349 +0000
+++ decode.c
@@ -255,7 +255,7 @@ void read_pt_len(int nn, int nbit, int i
if(i==i_special)
{
c=getbits(2);
- while(--c>=0)
+ while(--c>=0&&i<nn)
pt_len[i++]=0;
}
}
@@ -314,10 +314,10 @@ void read_c_len()
c=getbits(CBIT);
c+=20;
}
- while(--c>=0)
+ while(--c>=0&&i<NC)
c_len[i++]=0;
}
- else
+ else if (i<NC)
c_len[i++]=(unsigned char)(c-2);
}
while(i<NC)
@@ -416,10 +416,10 @@ static void NEAR decode_end()
void decode(int action)
{
- short i;
- short r;
- short c;
- static short j;
+ int i;
+ int r;
+ int c;
+ static int j;
#if SFX_LEVEL>=ARJSFXV
if(!setjmp(decode_proc))
@@ -450,9 +450,12 @@ void decode(int action)
{
j=c-(UCHAR_MAX+1-THRESHOLD);
count-=(unsigned long)j;
- i=r-decode_p()-1;
+ int P = decode_p();
+ i=r-P-1;
if(i<0)
i+=DICSIZ;
+ if(i<0)
+ goto termination;
if(r>i&&r<DICSIZ-MAXMATCH-1)
{
while(--j>=0)
|
