Fix serious but very rare decompression bug in inftrees.c.

inftrees.c compared the number of used table entries to the maximum allowed value using >= instead of >. This patch fixes those to use >. The bug was discovered by Ignat Kolesnichenko of Yandex LC where they have run petabytes of data through zlib. Triggering the bug is apparently very rare, seeing as how it has been out there in the wild for almost three years before being discovered. The bug is instantiated only if the exact maximum number of decoding table entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being decoded, resulting in the false positive of overflowing the table.
author: Mark Adler <madler@alumni.caltech.edu> 2013-02-18 21:06:35 -0800
committer: Mark Adler <madler@alumni.caltech.edu> 2013-02-18 21:47:00 -0800
commit: 51370f365607fe14a6a7a1a27b3bd29d788f5e5b (patch)
tree: 09db363475af028a7b9157b949667491d132f6de
parent: 10056909c00bca2684340856ce20272f3fd8fa43 (diff)
download: zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.tar.gz
zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.tar.bz2
zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.zip
1 files changed, 4 insertions, 4 deletions
diff --git a/inftrees.c b/inftrees.c
index 873da59..3781399 100644
--- a/inftrees.c
+++ b/inftrees.c
@@ -208,8 +208,8 @@ unsigned short FAR *work;
    mask = used - 1;            /* mask for comparing low */
    /* check available table space */
-    if ((type == LENS && used >= ENOUGH_LENS) ||
+    if ((type == LENS && used > ENOUGH_LENS) ||
-        (type == DISTS && used >= ENOUGH_DISTS))
+        (type == DISTS && used > ENOUGH_DISTS))
        return 1;
    /* process all codes and make table entries */
@@ -277,8 +277,8 @@ unsigned short FAR *work;
            /* check for enough space */
            used += 1U << curr;
-            if ((type == LENS && used >= ENOUGH_LENS) ||
+            if ((type == LENS && used > ENOUGH_LENS) ||
-                (type == DISTS && used >= ENOUGH_DISTS))
+                (type == DISTS && used > ENOUGH_DISTS))
                return 1;
            /* point entry in root table to sub-table */
author	Mark Adler <madler@alumni.caltech.edu>	2013-02-18 21:06:35 -0800
committer	Mark Adler <madler@alumni.caltech.edu>	2013-02-18 21:47:00 -0800
commit	51370f365607fe14a6a7a1a27b3bd29d788f5e5b (patch)
tree	09db363475af028a7b9157b949667491d132f6de
parent	10056909c00bca2684340856ce20272f3fd8fa43 (diff)
download	zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.tar.gz zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.tar.bz2 zlib-51370f365607fe14a6a7a1a27b3bd29d788f5e5b.zip

diff --git a/inftrees.c b/inftrees.c index 873da59..3781399 100644 --- a/inftrees.c +++ b/inftrees.c
@@ -208,8 +208,8 @@ unsigned short FAR *work;
208	mask = used - 1; /* mask for comparing low */	208	mask = used - 1; /* mask for comparing low */
209		209
210	/* check available table space */	210	/* check available table space */
211	if ((type == LENS && used >= ENOUGH_LENS) \|\|	211	if ((type == LENS && used > ENOUGH_LENS) \|\|
212	(type == DISTS && used >= ENOUGH_DISTS))	212	(type == DISTS && used > ENOUGH_DISTS))
213	return 1;	213	return 1;
214		214
215	/* process all codes and make table entries */	215	/* process all codes and make table entries */
@@ -277,8 +277,8 @@ unsigned short FAR *work;
277		277
278	/* check for enough space */	278	/* check for enough space */
279	used += 1U << curr;	279	used += 1U << curr;
280	if ((type == LENS && used >= ENOUGH_LENS) \|\|	280	if ((type == LENS && used > ENOUGH_LENS) \|\|
281	(type == DISTS && used >= ENOUGH_DISTS))	281	(type == DISTS && used > ENOUGH_DISTS))
282	return 1;	282	return 1;
283		283
284	/* point entry in root table to sub-table */	284	/* point entry in root table to sub-table */