From ebdc941a5d771a70b2f3ecde4cb94e50efd95c5d Mon Sep 17 00:00:00 2001
From: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Date: Sat, 29 Nov 2008 16:06:59 +0100
Subject: [PATCH] Avoid creating an undersized buffer for the hufts table.

A specific malformed input file (cf. attachment) either leads to gzip
crashing with segmentation violation or hanging in an endless loop.

Attached patch fixes the problem.
---
 debian/changelog |    3 ++-
 inflate.c        |    6 ++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 1686921..930c764 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -7,8 +7,9 @@ gzip (1.3.12-7) UNRELEASED; urgency=low
   [ Carl Worth ]
   * Add Carl Worth as an uploader. 
   * Fix "-f -" to work with zgrep, closes: #168606 
+  * Avoid creating undersized hufts table, closes #507263 
 
- -- Carl Worth <cworth@cworth.org>  Sat, 24 Jan 2009 02:42:45 +1100
+ -- Carl Worth <cworth@cworth.org>  Sat, 24 Jan 2009 16:15:02 +1100
 
 gzip (1.3.12-6) unstable; urgency=low
 
diff --git a/inflate.c b/inflate.c
index 9f3a661..2f4954b 100644
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;
-- 
1.5.6.5