From c91702b2ad5f265e04854e0bb711e2faa17daf6e Mon Sep 17 00:00:00 2001 From: Lv Ying Date: Thu, 28 Jul 2022 01:01:27 -0700 Subject: [PATCH] backport bugfix patch: detect invalid input Signed-off-by: Lv Ying --- backport-gzip-detect-invalid-input.patch | 61 ++++++++++++++++++++++ backport-gzip-test-invalid-input-bug.patch | 29 ++++++++++ gzip.spec | 8 ++- 3 files changed, 97 insertions(+), 1 deletion(-) create mode 100644 backport-gzip-detect-invalid-input.patch create mode 100644 backport-gzip-test-invalid-input-bug.patch diff --git a/backport-gzip-detect-invalid-input.patch b/backport-gzip-detect-invalid-input.patch new file mode 100644 index 0000000..76e2008 --- /dev/null +++ b/backport-gzip-detect-invalid-input.patch @@ -0,0 +1,61 @@ +From 63814d71ed81baec6f8b55513b561e045b160fa2 Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Tue, 28 Jun 2022 22:30:08 -0500 +Subject: [PATCH 1/2] gzip: detect invalid input + +Conflict: Context adapt: Tracevv((stderr,"\\[%d,%d]", w-d, n)); +Reference: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=4b58eee79d3af3647adb4c78938d83970e788975 + +Problem reported by Young Mo Kang and fix from Mark Adler (Bug#56247). +* inflate.c: Include stdbool.h. +(fresh): New static var. +* inflate.c (flush_output): Clear it. +(inflate): Set it. +(inflate_codes): Fail if the offset is outside a fresh input window. +--- + inflate.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/inflate.c b/inflate.c +index f54eb65..d5b8c44 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -117,6 +117,7 @@ + + #include + ++#include + #include + + #include "tailor.h" +@@ -153,8 +154,9 @@ static int huft_free (struct huft *); + "uch *slide;" and then malloc'ed in the latter case. The definition + must be in unzip.h, included above. */ + /* unsigned wp; current position in slide */ ++static bool fresh; + #define wp outcnt +-#define flush_output(w) (wp=(w),flush_window()) ++#define flush_output(w) (fresh = false, wp = (w), flush_window ()) + + /* Tables for deflate from PKZIP's appnote.txt. */ + static unsigned border[] = { /* Order of the bit length code lengths */ +@@ -572,6 +574,8 @@ inflate_codes(struct huft *tl, struct huft *td, int bl, int bd) + NEEDBITS(e) + d = w - t->v.n - ((unsigned)b & mask_bits[e]); + DUMPBITS(e) ++ if (fresh && w <= d) ++ return 1; + Tracevv((stderr,"\\[%d,%d]", w-d, n)); + + /* do the copy */ +@@ -954,6 +958,7 @@ inflate(void) + wp = 0; + bk = 0; + bb = 0; ++ fresh = true; + + + /* decompress until the last block */ +-- +2.27.0 + diff --git a/backport-gzip-test-invalid-input-bug.patch b/backport-gzip-test-invalid-input-bug.patch new file mode 100644 index 0000000..f3880ca --- /dev/null +++ b/backport-gzip-test-invalid-input-bug.patch @@ -0,0 +1,29 @@ +From 7af8e5b0c722c9752940d5af3d8e387e90c227ce Mon Sep 17 00:00:00 2001 +From: Paul Eggert +Date: Tue, 28 Jun 2022 22:32:09 -0500 +Subject: [PATCH 2/2] gzip: test invalid-input bug + +Conflict: Do not include NEWS change +Reference: https://git.savannah.gnu.org/cgit/gzip.git/commit/?id=3e32e3c3583e5249394d45f7a1f9bf3156c8d32f + +* NEWS: Mention the bug. +* tests/unpack-invalid: Test for the bug. +--- + tests/unpack-invalid | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/tests/unpack-invalid b/tests/unpack-invalid +index 14984a1..f659aa8 100755 +--- a/tests/unpack-invalid ++++ b/tests/unpack-invalid +@@ -22,6 +22,7 @@ + + fail=0 + for input in \ ++ '\37\213\b\0\0\0\0\0\0\3s\212\31204t\214T\v\216\274)q)\210\201A\341\377\377\37\f\23\30B\4\30\30\27+\\aih`hpd8\300\252\320\300\310\300\340\300\300\330\340\350\300\261\200!$\331M\201!\205q\341\253\214o+LM\331W\2300\310-|\305\300\256r\341\213\377\357\312\266$N\16E6\206\24\206\365\346\22\253\332L3l\366\334]]\244\275lM\355I\241;\377\343x\23\26M9\330\252\375\261\\%%\270\225\223wb\257\252\2\302\5\336\377\205\302\30\30\30\243$\03700010214\b0\260002p.`0dv\270 5o\371+7\237\366%%WL\246YMZ\234\367FN\277{\247\322\34\r\17\325\377\235\332\20\177\0\0@\23a\3\315\0\0\0' \ + '\037\036\000\000\037\213\010\000\000\000\000\000\002\003\036\000\000\000\002\003\037\213\010\000\000\000\000\000\002\003\355\301\001\015\000\000\000\302\240\037\000\302\240\037\213\010\000\000\000\000\000\002\003\355\301' \ + '\037\213\010\000\000\000\000\000\002\003\355\301\001\015\000\000\000\302\240\076\366\017\370\036\016\030\000\000\000\000\000\000\000\000\000\034\010\105\140\104\025\020\047\000\000\037\036\016\030\000\000\000'; do + +-- +2.27.0 + diff --git a/gzip.spec b/gzip.spec index ec576d4..7d66f3b 100644 --- a/gzip.spec +++ b/gzip.spec @@ -1,12 +1,15 @@ Name: gzip Version: 1.12 -Release: 1 +Release: 2 Summary: A data compression utility License: GPLv3 URL: https://www.gnu.org/software/gzip Source0: https://ftp.gnu.org/gnu/gzip/gzip-%{version}.tar.xz +Patch6000: backport-gzip-detect-invalid-input.patch +Patch6001: backport-gzip-test-invalid-input-bug.patch + Patch9000: fix-verbose-disable.patch Patch9001: performance-neoncrc32-and-prfm.patch @@ -58,6 +61,9 @@ make check %{_mandir}/man1/* %changelog +* Thu Jul 28 2022 Lv Ying - 1.12-2 +- backport bugfix patch: detect invalid input + * Sat Jun 11 2022 YukariChiba - 1.12-1 - Upgrade version. -- Gitee