While examining the patch for CVE-2010-0001 in a clean room environment, we
found a non-security issue. Here is the existing patch:
- e = insize-(o = (posbits>>3));
+ o = posbits >> 3;
+ e = o <= insize ? insize - o : 0;
Suppose a CLEAR code is found near the end of the in-memory buffer but there is
still more data to be read. (This must be extremely rare.) In that case what
you want to do is re-fill the buffer and then skip to the next block of 8
codes, which might involve ignoring some bytes at the start of the new buffer.
The original patch will start at the beginning of the buffer ('posbits=0'),
which may be too soon.
The following might be more suitable:
--- unlzw.c
+++ unlzw.c
@@ -253,8 +253,14 @@ int unlzw(in, out)
for (i = 0 ; i < e ; ++i) {
inbuf[i] = inbuf[i+o];
}
- insize = e;
+
+ insize = 0;
posbits = 0;
+ if (e >= 0) {
+ insize = e;
+ } else {
+ posbits = abs(e)<<3;
+ }
if (insize < INBUF_EXTRA) {
rsize = read_buffer (in, (char *) inbuf + insize, INBUFSIZ);
