[src/trunk]: src/usr.bin/compress provisional fix for CVE-2011-2895, buffer o...

[christos <christos%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/d86280568215
branches:  trunk
changeset: 768381:d86280568215
user:      christos <christos%NetBSD.org@localhost>
date:      Tue Aug 16 03:24:47 2011 +0000

description:
provisional fix for CVE-2011-2895, buffer overflow in decompression

diffstat:

 usr.bin/compress/zopen.c |  10 +++++++---
 1 files changed, 7 insertions(+), 3 deletions(-)

diffs (38 lines):

diff -r c034fc060d7d -r d86280568215 usr.bin/compress/zopen.c
--- a/usr.bin/compress/zopen.c  Tue Aug 16 03:21:47 2011 +0000
+++ b/usr.bin/compress/zopen.c  Tue Aug 16 03:24:47 2011 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: zopen.c,v 1.13 2009/04/11 12:24:37 lukem Exp $ */
+/*     $NetBSD: zopen.c,v 1.14 2011/08/16 03:24:47 christos Exp $      */
 
 /*-
  * Copyright (c) 1985, 1986, 1992, 1993
@@ -37,7 +37,7 @@
 #if 0
 static char sccsid[] = "@(#)zopen.c    8.1 (Berkeley) 6/27/93";
 #else
-static char rcsid[] = "$NetBSD: zopen.c,v 1.13 2009/04/11 12:24:37 lukem Exp $";
+static char rcsid[] = "$NetBSD: zopen.c,v 1.14 2011/08/16 03:24:47 christos Exp $";
 #endif
 #endif /* LIBC_SCCS and not lint */
 
@@ -519,7 +519,7 @@
                }
                incode = code;
 
-               /* Special case for KwKwK string. */
+               /* Special case FOR kWkWk string. */
                if (code >= free_ent) {
                        *stackp++ = finchar;
                        code = oldcode;
@@ -527,6 +527,10 @@
 
                /* Generate output characters in reverse order. */
                while (code >= 256) {
+                       if (stackp - de_stack >= HSIZE - 1) {
+                               errno = EOVERFLOW;
+                               return -1;
+                       }
                        *stackp++ = tab_suffixof(code);
                        code = tab_prefixof(code);
                }