diff options
| author | landley <landley@69ca8d6d-28ef-0310-b511-8ec308f3f277> | 2006-02-20 02:18:03 +0000 |
|---|---|---|
| committer | landley <landley@69ca8d6d-28ef-0310-b511-8ec308f3f277> | 2006-02-20 02:18:03 +0000 |
| commit | 973b81e049b4f6fc0d611c366aef69067f03278c (patch) | |
| tree | d70e64b1bb6f544737b5d61fd07699d30a63981e | |
| parent | 3870e985a96337e69ed33b89b27fe055e39189c9 (diff) | |
| download | busybox-w32-973b81e049b4f6fc0d611c366aef69067f03278c.tar.gz busybox-w32-973b81e049b4f6fc0d611c366aef69067f03278c.tar.bz2 busybox-w32-973b81e049b4f6fc0d611c366aef69067f03278c.zip | |
The gentoo security guys found another way to segfault busybox's decompression
code: we can do a null dereference if one of our huffman tables has all zero
length codes. This fixes it. (Thanks solar.)
git-svn-id: svn://busybox.net/trunk/busybox@14137 69ca8d6d-28ef-0310-b511-8ec308f3f277
| -rw-r--r-- | archival/libunarchive/decompress_unzip.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c index 1b82542fe..ea8169592 100644 --- a/archival/libunarchive/decompress_unzip.c +++ b/archival/libunarchive/decompress_unzip.c | |||
| @@ -271,7 +271,7 @@ int huft_build(unsigned int *b, const unsigned int n, | |||
| 271 | if (c[0] == n) { /* null input--all zero length codes */ | 271 | if (c[0] == n) { /* null input--all zero length codes */ |
| 272 | *t = (huft_t *) NULL; | 272 | *t = (huft_t *) NULL; |
| 273 | *m = 0; | 273 | *m = 0; |
| 274 | return 0; | 274 | return 2; |
| 275 | } | 275 | } |
| 276 | 276 | ||
| 277 | /* Find minimum and maximum length, bound *m by those */ | 277 | /* Find minimum and maximum length, bound *m by those */ |