diff options
| author | JinWang An <jinwang.an@samsung.com> | 2021-02-16 18:05:29 +0900 |
|---|---|---|
| committer | JinWang An <jinwang.an@samsung.com> | 2021-02-16 18:05:29 +0900 |
| commit | 9ffe36c05847d407c4d8f8e874e8d5012279663b (patch) | |
| tree | e463bd673e8ef22fe6994cbf65536ed88f7fe336 | |
| parent | 90abb7b35916f11d6ef09cd2ba3a1a15c84d2fd8 (diff) | |
| download | cmake-9ffe36c05847d407c4d8f8e874e8d5012279663b.tar.gz cmake-9ffe36c05847d407c4d8f8e874e8d5012279663b.tar.bz2 cmake-9ffe36c05847d407c4d8f8e874e8d5012279663b.zip | |
[CVE-2016-9840] Remove offset pointer optimization in inftrees.c.
inftrees.c was subtracting an offset from a pointer to an array,
in order to provide a pointer that allowed indexing starting at
the offset. This is not compliant with the C standard, for which
the behavior of a pointer decremented before its allocated memory
is undefined. Per the recommendation of a security audit of the
zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this tiny optimization was removed, in order
to avoid the possibility of undefined behavior.
Change-Id: I610af44babc621c89300789e9a32d2b037dfe196
Signed-off-by: JinWang An <jinwang.an@samsung.com>
| -rw-r--r-- | Utilities/cmzlib/inftrees.c | 18 |
1 files changed, 8 insertions, 10 deletions
diff --git a/Utilities/cmzlib/inftrees.c b/Utilities/cmzlib/inftrees.c index 8a9c13ff0..978775aaf 100644 --- a/Utilities/cmzlib/inftrees.c +++ b/Utilities/cmzlib/inftrees.c @@ -54,7 +54,7 @@ unsigned short FAR *work; code FAR *next; /* next available space in table */ const unsigned short FAR *base; /* base value table to use */ const unsigned short FAR *extra; /* extra bits table to use */ - int end; /* use base and extra for symbol > end */ + unsigned match; /* use base and extra for symbol >= match */ unsigned short count[MAXBITS+1]; /* number of codes of each length */ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */ static const unsigned short lbase[31] = { /* Length codes 257..285 base */ @@ -182,19 +182,17 @@ unsigned short FAR *work; switch (type) { case CODES: base = extra = work; /* dummy value--not used */ - end = 19; + match = 20; break; case LENS: base = lbase; - base -= 257; extra = lext; - extra -= 257; - end = 256; + match = 257; break; default: /* DISTS */ base = dbase; extra = dext; - end = -1; + match = 0; } /* initialize state for loop */ @@ -216,13 +214,13 @@ unsigned short FAR *work; for (;;) { /* create table entry */ this.bits = (unsigned char)(len - drop); - if ((int)(work[sym]) < end) { + if (work[sym] + 1 < match) { this.op = (unsigned char)0; this.val = work[sym]; } - else if ((int)(work[sym]) > end) { - this.op = (unsigned char)(extra[work[sym]]); - this.val = base[work[sym]]; + else if (work[sym] >= match) { + this.op = (unsigned char)(extra[work[sym]] - match); + this.val = base[work[sym] - match]; } else { this.op = (unsigned char)(32 + 64); /* end of block */ |