[src/trunk]: src/usr.bin/gzip provisional fix for CVS-2011-2895, buffer overf...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/c034fc060d7d
branches:  trunk
changeset: 768380:c034fc060d7d
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Aug 16 03:21:47 2011 +0000

description:
provisional fix for CVS-2011-2895, buffer overflow when uncompressing

diffstat:

 usr.bin/gzip/zuncompress.c |  4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diffs (18 lines):

diff -r 769a3928d42f -r c034fc060d7d usr.bin/gzip/zuncompress.c
--- a/usr.bin/gzip/zuncompress.c        Tue Aug 16 02:59:16 2011 +0000
+++ b/usr.bin/gzip/zuncompress.c        Tue Aug 16 03:21:47 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: zuncompress.c,v 1.8 2010/11/06 21:42:32 mrg Exp $ */
+/*     $NetBSD: zuncompress.c,v 1.9 2011/08/16 03:21:47 christos Exp $ */
 
 /*-
  * Copyright (c) 1985, 1986, 1992, 1993
@@ -288,6 +288,8 @@
 
                /* Generate output characters in reverse order. */
                while (zs->u.r.zs_code >= 256) {
+                       if (zs->u.r.zs_stackp - de_stack >= HSIZE - 1)
+                               return -1;
                        *zs->u.r.zs_stackp++ = tab_suffixof(zs->u.r.zs_code);
                        zs->u.r.zs_code = tab_prefixof(zs->u.r.zs_code);
                }