kc3-lang/freetype

Browse

Commit 83cb6c0049f6cc5ea3f27d1d90891472f288ac5e

Tomas Hoger 2011-09-11T09:13:45

Add explicit LZW decompression stack size limit. Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is constructed correctly. It's even less than that, see e.g. libarchive code comment for a better size upper bound: http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121 This patch adds explicit stack size limit, enforced when stack is realloced. An alternative is to ensure that code < state->prefix[code - 256] when traversing prefix table. Such check is less efficient and should not be required if prefix table is constructed correctly in the first place. * src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it. 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50

diff --git a/ChangeLog b/ChangeLog
index e76c105..3076409 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,25 @@
 2011-09-11  Tomas Hoger  <thoger@redhat.com>
 
+	Add explicit LZW decompression stack size limit.
+
+	Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
+	constructed correctly.  It's even less than that, see e.g. 
+	libarchive code comment for a better size upper bound:
+
+	  http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121
+
+	This patch adds explicit stack size limit, enforced when stack is
+	realloced.
+
+	An alternative is to ensure that code < state->prefix[code - 256]
+	when traversing prefix table.  Such check is less efficient and
+	should not be required if prefix table is constructed correctly in
+	the first place.
+
+	* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.
+
+2011-09-11  Tomas Hoger  <thoger@redhat.com>
+
 	Protect against loops in the prefix table.
 
 	LZW decompressor did not sufficiently check codes read from the
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index b5a6226..f55ee3a 100644
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -124,6 +124,15 @@
         old_size     = 0;
       }
 
+      /* requirement of the character stack larger than 1<<LZW_MAX_BITS */
+      /* implies bug in the decompression code                          */
+      if ( new_size > ( 1 << LZW_MAX_BITS ) )
+      {
+        new_size = 1 << LZW_MAX_BITS;
+        if ( new_size == old_size )
+          return -1;
+      }
+
       if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) )
         return -1;
kmx.io     mail     discord kmxgit v0.4.0