[Zlib-devel] (FYI, debian-specific) inflate.c: avoid referencing uninitialized heap
Jim Meyering
jim at meyering.net
Wed Jan 27 13:16:57 EST 2010
Hello,
[FYI: this is relative to Debian's sources.
At first I thought those were relatively close to "upstream",
but later noticed they have many differences.
Do you have anything newer than 1.2.3?
The report below is also available via:
http://bugs.debian.org/567156
]
Here's a patch to avoid referencing uninitialized heap while
inflating the relatively unusual input that caused gzip-prior-to-1.4
to misbehave:
--- inflate.c.orig 2010-01-27 12:00:02.992726753 +0100
+++ inflate.c 2010-01-27 12:00:26.388602165 +0100
@@ -154,7 +154,7 @@ int windowBits;
/* set number of window bits, free window if different */
if (windowBits < 8 || windowBits > 15)
return Z_STREAM_ERROR;
- if (state->wbits != windowBits && state->window != Z_NULL) {
+ if (state->window != Z_NULL && state->wbits != windowBits) {
ZFREE(strm, state->window);
state->window = Z_NULL;
}
At that point, state->window is initialized, but state->wbits is not.
Without that patch, valgrind complains on this input:
$ printf '\037\235\220\0\0\0\304' > in.Z
$ valgrind ./minigzip -d < in.Z > /dev/null
...
Conditional jump or move depends on uninitialised value(s)
at 0x40B979: inflateReset2 (inflate.c:157)
by 0x40BAC7: inflateInit2_ (inflate.c:193)
by 0x40195E: gz_open (gzio.c:186)
by 0x401BDF: gzdopen (gzio.c:256)
by 0x4014B1: main (minigzip.c:304)
...
More information about the Zlib-devel
mailing list