Skip to content
Snippets Groups Projects
Select Git revision
  • develop
  • master default protected
  • v1.2.11
  • v1.2.10
  • v1.2.9
  • v1.2.8
  • v1.2.7.3
  • v1.2.7.2
  • v1.2.7.1
  • v1.2.7
  • v1.2.6.1
  • v1.2.6
  • v1.2.5.3
  • v1.2.5.2
  • v1.2.5.1
  • v1.2.5
  • v1.2.4.5
  • v1.2.4.4
  • v1.2.4.3
  • v1.2.4.2
  • v1.2.4.1
  • v1.2.4
22 results

deflate.h

  • Mark Adler's avatar
    5c44459c
    Fix a bug that can crash deflate on some input when using Z_FIXED. · 5c44459c
    Mark Adler authored 
    This bug was reported by Danilo Ramos of Eideticom, Inc. It has
lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
option forces the use of fixed Huffman codes. For rare inputs with
a large number of distant matches, the pending buffer into which
the compressed data is written can overwrite the distance symbol
table which it overlays. That results in corrupted output due to
invalid distances, and can result in out-of-bound accesses,
crashing the application.

The fix here combines the distance buffer and literal/length
buffers into a single symbol buffer. Now three bytes of pending
buffer space are opened up for each literal or length/distance
pair consumed, instead of the previous two bytes. This assures
that the pending buffer cannot overwrite the symbol table, since
the maximum fixed code compressed length/distance is 31 bits, and
since there are four bytes of pending space for every three bytes
of symbol space.
    5c44459c
    History
    Fix a bug that can crash deflate on some input when using Z_FIXED.
    Mark Adler authored 
    This bug was reported by Danilo Ramos of Eideticom, Inc. It has
lain in wait 13 years before being found! The bug was introduced
in zlib 1.2.2.2, with the addition of the Z_FIXED option. That
option forces the use of fixed Huffman codes. For rare inputs with
a large number of distant matches, the pending buffer into which
the compressed data is written can overwrite the distance symbol
table which it overlays. That results in corrupted output due to
invalid distances, and can result in out-of-bound accesses,
crashing the application.

The fix here combines the distance buffer and literal/length
buffers into a single symbol buffer. Now three bytes of pending
buffer space are opened up for each literal or length/distance
pair consumed, instead of the previous two bytes. This assures
that the pending buffer cannot overwrite the symbol table, since
the maximum fixed code compressed length/distance is 31 bits, and
since there are four bytes of pending space for every three bytes
of symbol space.
Code owners
Assign users and groups as approvers for specific file changes. Learn more.