mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
Add a missing bounds check in the Deflate decompressor.
The symbol alphabet used for encoding ranges of backward distances in a Deflate compressed block contains 32 symbol values, but two of them (symbols 30 and 31) have no meaning, and hence it is an encoding error for them to appear in a compressed block. If a compressed file did so anyway, this decompressor would index past the end of the distcodes[] array. Oops. This is clearly a bug, but I don't believe it's a vulnerability. The nonsense record we load from distcodes[] in this situation contains an indeterminate bogus value for 'extrabits' (how many more bits to read from the input stream to complete the backward distance) and also for the offset to add to the backward distance after that. But neither of these can lead to a buffer overflow: if extrabits is so big that dctx->nbits (which is capped at 32) never exceeds it, then the decompressor will simply swallow all further data without producing any output, and otherwise the decompressor will consume _some_ number of spare bits from the input, work out a backward distance and an offset in the sliding window which will be utter nonsense and probably out of bounds, but fortunately will then AND the offset with 0x7FFF at the last minute, which makes it safe again. So I think the worst that a malicious compressor can do is to cause the decompressor to generate strange data, which of course it could do anyway if it wanted to by sending that same data legally compressed. [originally from svn r10278]
This commit is contained in:
parent
4d8782e74f
commit
3fd8014ea7
@ -1234,6 +1234,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
|
|||||||
goto finished;
|
goto finished;
|
||||||
if (code == -2)
|
if (code == -2)
|
||||||
goto decode_error;
|
goto decode_error;
|
||||||
|
if (code >= 30) /* dist symbols 30 and 31 are invalid */
|
||||||
|
goto decode_error;
|
||||||
dctx->state = GOTDISTSYM;
|
dctx->state = GOTDISTSYM;
|
||||||
dctx->sym = code;
|
dctx->sym = code;
|
||||||
break;
|
break;
|
||||||
|
Loading…
Reference in New Issue
Block a user