Security Fix

Index: gzip.c
--- gzip.c.orig	2006-11-20 09:40:33 +0100
+++ gzip.c	2006-12-06 12:02:25 +0100
@@ -167,7 +167,7 @@
 DECLARE(uch, inbuf,  INBUFSIZ +INBUF_EXTRA);
 DECLARE(uch, outbuf, OUTBUFSIZ+OUTBUF_EXTRA);
 DECLARE(ush, d_buf,  DIST_BUFSIZE);
-DECLARE(uch, window, 2L*WSIZE);
+DECLARE(uch, window, 2L*WSIZE + 4096); /* enlarge to avoid crashs due to peeking beyond the buffer end */
 #ifndef MAXSEG_64K
     DECLARE(ush, tab_prefix, 1L<<BITS);
 #else

-----------------------------------------------------------------------------

Security Fixes 
- OOB write        (CVE-2006-4335)
- Buffer underflow (CVE-2006-4336)
- Buffer overflow  (CVE-2006-4337)
- Infinite loop    (CVE-2006-4338)

Index: gzip.h
--- gzip.h.orig	2006-11-20 09:40:33 +0100
+++ gzip.h	2006-11-23 17:49:52 +0100
@@ -220,6 +220,8 @@
 extern int to_stdout;      /* output to stdout (-c) */
 extern int save_orig_name; /* set if original name must be saved */
 
+#define MIN(a,b) ((a) <= (b) ? (a) : (b))
+
 #define get_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(0))
 #define try_byte()  (inptr < insize ? inbuf[inptr++] : fill_inbuf(1))
 
Index: unlzh.c
--- unlzh.c.orig	2006-11-20 09:40:34 +0100
+++ unlzh.c	2006-11-23 18:02:12 +0100
@@ -145,12 +145,17 @@
     unsigned i, k, len, ch, jutbits, avail, nextcode, mask;
 
     for (i = 1; i <= 16; i++) count[i] = 0;
-    for (i = 0; i < (unsigned)nchar; i++) count[bitlen[i]]++;
+    for (i = 0; i < (unsigned)nchar; i++) {
+        if (bitlen[i] > 16)
+            error("Bad table\n");
+        else
+            count[bitlen[i]]++;
+    }
 
     start[1] = 0;
     for (i = 1; i <= 16; i++)
 	start[i + 1] = start[i] + (count[i] << (16 - i));
-    if ((start[17] & 0xffff) != 0)
+    if ((start[17] & 0xffff) != 0 || tablebits > 16) /* 16 for weight below */
       gzip_error ("Bad table\n");
 
     jutbits = 16 - tablebits;
@@ -165,15 +170,15 @@
 
     i = start[tablebits + 1] >> jutbits;
     if (i != 0) {
-	k = 1 << tablebits;
-	while (i != k) table[i++] = 0;
+	k = MIN(1 << tablebits, DIST_BUFSIZE);
+	while (i < k) table[i++] = 0;
     }
 
     avail = nchar;
     mask = (unsigned) 1 << (15 - tablebits);
     for (ch = 0; ch < (unsigned)nchar; ch++) {
 	if ((len = bitlen[ch]) == 0) continue;
-	nextcode = start[len] + weight[len];
+	nextcode = MIN(start[len] + weight[len], DIST_BUFSIZE);
 	if (len <= (unsigned)tablebits) {
 	    if ((unsigned) 1 << tablebits < nextcode)
 	      gzip_error ("Bad table\n");
@@ -216,7 +221,7 @@
 	for (i = 0; i < 256; i++) pt_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NPT)) {
 	    c = bitbuf >> (BITBUFSIZ - 3);
 	    if (c == 7) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 3);
@@ -228,7 +233,7 @@
 	    pt_len[i++] = c;
 	    if (i == i_special) {
 		c = getbits(2);
-		while (--c >= 0) pt_len[i++] = 0;
+		while (--c >= 0 && i < NPT) pt_len[i++] = 0;
 	    }
 	}
 	while (i < nn) pt_len[i++] = 0;
@@ -248,7 +253,7 @@
 	for (i = 0; i < 4096; i++) c_table[i] = c;
     } else {
 	i = 0;
-	while (i < n) {
+	while (i < MIN(n,NC)) {
 	    c = pt_table[bitbuf >> (BITBUFSIZ - 8)];
 	    if (c >= NT) {
 		mask = (unsigned) 1 << (BITBUFSIZ - 1 - 8);
@@ -256,14 +261,14 @@
 		    if (bitbuf & mask) c = right[c];
 		    else               c = left [c];
 		    mask >>= 1;
-		} while (c >= NT);
+		} while (c >= NT && (mask || c != left[c]));
 	    }
 	    fillbuf((int) pt_len[c]);
 	    if (c <= 2) {
 		if      (c == 0) c = 1;
 		else if (c == 1) c = getbits(4) + 3;
 		else             c = getbits(CBIT) + 20;
-		while (--c >= 0) c_len[i++] = 0;
+		while (--c >= 0 && i < NC) c_len[i++] = 0;
 	    } else c_len[i++] = c - 2;
 	}
 	while (i < NC) c_len[i++] = 0;
@@ -292,7 +297,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NC);
+	} while (j >= NC && (mask || j != left[j]));
     }
     fillbuf((int) c_len[j]);
     return j;
@@ -309,7 +314,7 @@
 	    if (bitbuf & mask) j = right[j];
 	    else               j = left [j];
 	    mask >>= 1;
-	} while (j >= NP);
+	} while (j >= NP && (mask || j != left[j]));
     }
     fillbuf((int) pt_len[j]);
     if (j != 0) j = ((unsigned) 1 << (j - 1)) + getbits((int) (j - 1));
@@ -356,7 +361,7 @@
     while (--j >= 0) {
 	buffer[r] = buffer[i];
 	i = (i + 1) & (DICSIZ - 1);
-	if (++r == count) return r;
+	if (++r >= count) return r;
     }
     for ( ; ; ) {
 	c = decode_c();
@@ -366,14 +371,14 @@
 	}
 	if (c <= UCHAR_MAX) {
 	    buffer[r] = c;
-	    if (++r == count) return r;
+	    if (++r >= count) return r;
 	} else {
 	    j = c - (UCHAR_MAX + 1 - THRESHOLD);
 	    i = (r - decode_p() - 1) & (DICSIZ - 1);
 	    while (--j >= 0) {
 		buffer[r] = buffer[i];
 		i = (i + 1) & (DICSIZ - 1);
-		if (++r == count) return r;
+		if (++r >= count) return r;
 	    }
 	}
     }
Index: unpack.c
--- unpack.c.orig	2006-11-20 09:40:34 +0100
+++ unpack.c	2006-11-23 17:49:52 +0100
@@ -26,7 +26,6 @@
 #include "gzip.h"
 #include "crypt.h"
 
-#define MIN(a,b) ((a) <= (b) ? (a) : (b))
 /* The arguments must not have side effects. */
 
 #define MAX_BITLEN 25
@@ -150,7 +149,7 @@
 	/* Remember where the literals of this length start in literal[] : */
 	lit_base[len] = base;
 	/* And read the literals: */
-	for (n = leaves[len]; n > 0; n--) {
+	for (n = leaves[len]; n > 0 && base < LITERALS; n--) {
 	    literal[base++] = (uch)get_byte();
 	}
     }
@@ -186,7 +185,7 @@
     prefixp = &prefix_len[1<<peek_bits];
     for (len = 1; len <= peek_bits; len++) {
 	int prefixes = leaves[len] << (peek_bits-len); /* may be 0 */
-	while (prefixes--) *--prefixp = (uch)len;
+	while (prefixes-- && prefixp > prefix_len) *--prefixp = (uch)len;
     }
     /* The length of all other codes is unknown: */
     while (prefixp > prefix_len) *--prefixp = 0;