| http://bugs.gentoo.org/213761 |
| |
| fix for CVE-2008-0888 |
| |
| --- inflate.c |
| +++ inflate.c |
| @@ -983,6 +983,7 @@ |
| unsigned l; /* last length */ |
| unsigned m; /* mask for bit lengths table */ |
| unsigned n; /* number of lengths to get */ |
| + struct huft *tlp; |
| struct huft *tl; /* literal/length code table */ |
| struct huft *td; /* distance code table */ |
| unsigned bl; /* lookup bits for tl */ |
| @@ -996,6 +997,8 @@ |
| int retval = 0; /* error code returned: initialized to "no error" */ |
| |
| |
| + td = tlp = tl = (struct huft *)NULL; |
| + |
| /* make local bit buffer */ |
| Trace((stderr, "\ndynamic block")); |
| b = G.bb; |
| @@ -1047,9 +1050,9 @@ |
| while (i < n) |
| { |
| NEEDBITS(bl) |
| - j = (td = tl + ((unsigned)b & m))->b; |
| + j = (tlp = tl + ((unsigned)b & m))->b; |
| DUMPBITS(j) |
| - j = td->v.n; |
| + j = tlp->v.n; |
| if (j < 16) /* length of code in bits (0..15) */ |
| ll[i++] = l = j; /* save last length in l */ |
| else if (j == 16) /* repeat last length 3 to 6 times */ |