mirror of
https://git.tartarus.org/simon/putty.git
synced 2025-01-10 01:48:00 +00:00
sshzlib: tighten up handling of invalid symbol codes.
In Deflate, both the literal/length and distance Huffman trees are physically capable of encoding two symbol ids beyond the number that the spec assigns any actual meaning to: a compressed block header can specify code lengths for those two extra symbols if it wants to, in which case those codes will be added to the Huffman tree (in particular, will affect the encoding of everything else), but then should not actually use those codes. Our zlib decoder was silently ignoring the two invalid codes in the literal/length tree, but treating the two invalid codes in the distance tree as a fatal decoding error. That seems inconsistent. Now we treat both as fatal decode errors.
This commit is contained in:
parent
1cd935e6c9
commit
eecefcb23c
@ -1105,10 +1105,13 @@ bool zlib_decompress_block(ssh_decompressor *dc,
|
|||||||
zlib_freetable(&dctx->currdisttable);
|
zlib_freetable(&dctx->currdisttable);
|
||||||
dctx->currdisttable = NULL;
|
dctx->currdisttable = NULL;
|
||||||
}
|
}
|
||||||
} else if (code < 286) { /* static tree can give >285; ignore */
|
} else if (code < 286) {
|
||||||
dctx->state = GOTLENSYM;
|
dctx->state = GOTLENSYM;
|
||||||
dctx->sym = code;
|
dctx->sym = code;
|
||||||
}
|
} else {
|
||||||
|
/* literal/length symbols 286 and 287 are invalid */
|
||||||
|
goto decode_error;
|
||||||
|
}
|
||||||
break;
|
break;
|
||||||
case GOTLENSYM:
|
case GOTLENSYM:
|
||||||
rec = &lencodes[dctx->sym - 257];
|
rec = &lencodes[dctx->sym - 257];
|
||||||
|
Loading…
Reference in New Issue
Block a user