Fix serious but very rare decompression bug in inftrees.c.

inftrees.c compared the number of used table entries to the maximum
allowed value using >= instead of >.  This patch fixes those to use
>.  The bug was discovered by Ignat Kolesnichenko of Yandex LC
where they have run petabytes of data through zlib.  Triggering the
bug is apparently very rare, seeing as how it has been out there in
the wild for almost three years before being discovered.  The bug
is instantiated only if the exact maximum number of decoding table
entries, ENOUGH_DISTS or ENOUGH_LENS is used by the block being
decoded, resulting in the false positive of overflowing the table.
This commit is contained in:
Mark Adler 2013-02-18 21:06:35 -08:00
parent 10056909c0
commit 51370f3656

View File

@ -208,8 +208,8 @@ unsigned short FAR *work;
mask = used - 1; /* mask for comparing low */ mask = used - 1; /* mask for comparing low */
/* check available table space */ /* check available table space */
if ((type == LENS && used >= ENOUGH_LENS) || if ((type == LENS && used > ENOUGH_LENS) ||
(type == DISTS && used >= ENOUGH_DISTS)) (type == DISTS && used > ENOUGH_DISTS))
return 1; return 1;
/* process all codes and make table entries */ /* process all codes and make table entries */
@ -277,8 +277,8 @@ unsigned short FAR *work;
/* check for enough space */ /* check for enough space */
used += 1U << curr; used += 1U << curr;
if ((type == LENS && used >= ENOUGH_LENS) || if ((type == LENS && used > ENOUGH_LENS) ||
(type == DISTS && used >= ENOUGH_DISTS)) (type == DISTS && used > ENOUGH_DISTS))
return 1; return 1;
/* point entry in root table to sub-table */ /* point entry in root table to sub-table */