bug#33501: Malformed inputs triggering uninitialized memory use in inflate_dynamic()

Fri, 30 Nov 2018 13:04:48 -0800

Thanks for the fix. I installed the attached patch into the GNU gzip master and am marking this bug as done. 
>From 1a61dbfbb1e60f51c91682e6ed87bb404b02d851 Mon Sep 17 00:00:00 2001
From: Paul Eggert <egg...@cs.ucla.edu>
Date: Fri, 30 Nov 2018 13:00:42 -0800
Subject: [PATCH] gzip: fix use of uninitialized memory
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Problem reported by Hanno Böck (Bug#33501).
* NEWS: Mention this.
* inflate.c (inflate_dynamic): Return if code is invalid.
Fix by Mark Adler.
* tests/hufts: Add test case for the bug.
---
 NEWS        | 3 +++
 inflate.c   | 6 ++++++
 tests/hufts | 9 ++++++++-
 3 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index c3113ed..caa77bb 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,9 @@ GNU gzip NEWS                                    -*- outline -*-
 
 ** Bug fixes
 
+  A use of uninitialized memory on some malformed inputs has been fixed.
+  [bug present since the beginning]
+
   A few theoretical race conditions in signal handers have been fixed.
   These bugs most likely do not happen on practical platforms.
   [bugs present since the beginning]
diff --git a/inflate.c b/inflate.c
index d372685..bcafcf1 100644
--- a/inflate.c
+++ b/inflate.c
@@ -799,6 +799,12 @@ inflate_dynamic(void)
     NEEDBITS((unsigned)bl)
     j = (td = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
+    if (td->e == 99)
+      {
+        /* Invalid code.  */
+        huft_free (tl);
+        return 2;
+      }
     j = td->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */
diff --git a/tests/hufts b/tests/hufts
index 1076c83..5660ec3 100755
--- a/tests/hufts
+++ b/tests/hufts
@@ -1,5 +1,5 @@
 #!/bin/sh
-# Exercise a bug whereby an invalid input could make gzip -d misbehave.
+# Exercise bugs whereby invalid input could make gzip -d misbehave.
 
 # Copyright (C) 2009-2018 Free Software Foundation, Inc.
 
@@ -30,4 +30,11 @@ compare /dev/null out || fail=1
 sed 's/.*hufts-segv.gz: /...: /' err > k; mv k err || fail=1
 compare exp err || fail=1
 
+printf '\037\213\010\000\060\060\060\060\060\060\144\000\000\000' > bug33501 \
+  || framework_failure_
+printf '\ngzip: stdin: invalid compressed data--format violated\n' >exp33501 \
+  || framework_failure_
+returns_ 1 gzip -d <bug33501 >out33501 2> err33501 || fail=1
+compare exp33501 err33501 || fail=1
+
 Exit $fail
-- 
2.19.2

Reply via email to