1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
$NetBSD: patch-ab,v 1.6 2006/12/03 03:09:46 obache Exp $
--- src/maketbl.c.orig 2000-10-04 23:57:38.000000000 +0900
+++ src/maketbl.c
@@ -32,8 +32,15 @@ make_table(nchar, bitlen, tablebits, tab
}
/* count */
- for (i = 0; i < nchar; i++)
- count[bitlen[i]]++;
+ for (i = 0; i < nchar; i++) {
+ if (bitlen[i] > 16) {
+ /* CVE-2006-4335 */
+ error("Bad table (case a)");
+ exit(1);
+ }
+ else
+ count[bitlen[i]]++;
+ }
/* calculate first code */
total = 0;
@@ -41,8 +48,10 @@ make_table(nchar, bitlen, tablebits, tab
start[i] = total;
total += weight[i] * count[i];
}
- if ((total & 0xffff) != 0)
+ if ((total & 0xffff) != 0 || tablebits > 16) { /* 16 for weight below */
error("make_table()", "Bad table (5)\n");
+ exit(1);
+ }
/* shift data for make table. */
m = 16 - tablebits;
@@ -53,7 +62,7 @@ make_table(nchar, bitlen, tablebits, tab
/* initialize */
j = start[tablebits + 1] >> m;
- k = 1 << tablebits;
+ k = MIN(1 << tablebits, 4096);
if (j != 0)
for (i = j; i < k; i++)
table[i] = 0;
@@ -66,12 +75,19 @@ make_table(nchar, bitlen, tablebits, tab
l = start[k] + weight[k];
if (k <= tablebits) {
/* code in table */
+ l = MIN(l, 4096);
for (i = start[k]; i < l; i++)
table[i] = j;
}
else {
/* code not in table */
- p = &table[(i = start[k]) >> m];
+ i = start[k];
+ if ((i >> m) > 4096) {
+ /* CVE-2006-4337 */
+ error("Bad table (case c)");
+ exit(1);
+ }
+ p = &table[i >> m];
i <<= tablebits;
n = k - tablebits;
/* make tree (n length) */
|
