diff options
Diffstat (limited to 'lib/inflate.c')
-rw-r--r-- | lib/inflate.c | 129 |
1 files changed, 91 insertions, 38 deletions
diff --git a/lib/inflate.c b/lib/inflate.c index 6db6e98d1637..845f91d3ac12 100644 --- a/lib/inflate.c +++ b/lib/inflate.c | |||
@@ -292,7 +292,6 @@ STATIC int INIT huft_build( | |||
292 | oversubscribed set of lengths), and three if not enough memory. */ | 292 | oversubscribed set of lengths), and three if not enough memory. */ |
293 | { | 293 | { |
294 | unsigned a; /* counter for codes of length k */ | 294 | unsigned a; /* counter for codes of length k */ |
295 | unsigned c[BMAX+1]; /* bit length count table */ | ||
296 | unsigned f; /* i repeats in table every f entries */ | 295 | unsigned f; /* i repeats in table every f entries */ |
297 | int g; /* maximum code length */ | 296 | int g; /* maximum code length */ |
298 | int h; /* table level */ | 297 | int h; /* table level */ |
@@ -303,18 +302,33 @@ STATIC int INIT huft_build( | |||
303 | register unsigned *p; /* pointer into c[], b[], or v[] */ | 302 | register unsigned *p; /* pointer into c[], b[], or v[] */ |
304 | register struct huft *q; /* points to current table */ | 303 | register struct huft *q; /* points to current table */ |
305 | struct huft r; /* table entry for structure assignment */ | 304 | struct huft r; /* table entry for structure assignment */ |
306 | struct huft *u[BMAX]; /* table stack */ | ||
307 | unsigned v[N_MAX]; /* values in order of bit length */ | ||
308 | register int w; /* bits before this table == (l * h) */ | 305 | register int w; /* bits before this table == (l * h) */ |
309 | unsigned x[BMAX+1]; /* bit offsets, then code stack */ | ||
310 | unsigned *xp; /* pointer into x */ | 306 | unsigned *xp; /* pointer into x */ |
311 | int y; /* number of dummy codes added */ | 307 | int y; /* number of dummy codes added */ |
312 | unsigned z; /* number of entries in current table */ | 308 | unsigned z; /* number of entries in current table */ |
309 | struct { | ||
310 | unsigned c[BMAX+1]; /* bit length count table */ | ||
311 | struct huft *u[BMAX]; /* table stack */ | ||
312 | unsigned v[N_MAX]; /* values in order of bit length */ | ||
313 | unsigned x[BMAX+1]; /* bit offsets, then code stack */ | ||
314 | } *stk; | ||
315 | unsigned *c, *v, *x; | ||
316 | struct huft **u; | ||
317 | int ret; | ||
313 | 318 | ||
314 | DEBG("huft1 "); | 319 | DEBG("huft1 "); |
315 | 320 | ||
321 | stk = malloc(sizeof(*stk)); | ||
322 | if (stk == NULL) | ||
323 | return 3; /* out of memory */ | ||
324 | |||
325 | c = stk->c; | ||
326 | v = stk->v; | ||
327 | x = stk->x; | ||
328 | u = stk->u; | ||
329 | |||
316 | /* Generate counts for each bit length */ | 330 | /* Generate counts for each bit length */ |
317 | memzero(c, sizeof(c)); | 331 | memzero(stk->c, sizeof(stk->c)); |
318 | p = b; i = n; | 332 | p = b; i = n; |
319 | do { | 333 | do { |
320 | Tracecv(*p, (stderr, (n-i >= ' ' && n-i <= '~' ? "%c %d\n" : "0x%x %d\n"), | 334 | Tracecv(*p, (stderr, (n-i >= ' ' && n-i <= '~' ? "%c %d\n" : "0x%x %d\n"), |
@@ -326,7 +340,8 @@ DEBG("huft1 "); | |||
326 | { | 340 | { |
327 | *t = (struct huft *)NULL; | 341 | *t = (struct huft *)NULL; |
328 | *m = 0; | 342 | *m = 0; |
329 | return 2; | 343 | ret = 2; |
344 | goto out; | ||
330 | } | 345 | } |
331 | 346 | ||
332 | DEBG("huft2 "); | 347 | DEBG("huft2 "); |
@@ -351,10 +366,14 @@ DEBG("huft3 "); | |||
351 | 366 | ||
352 | /* Adjust last length count to fill out codes, if needed */ | 367 | /* Adjust last length count to fill out codes, if needed */ |
353 | for (y = 1 << j; j < i; j++, y <<= 1) | 368 | for (y = 1 << j; j < i; j++, y <<= 1) |
354 | if ((y -= c[j]) < 0) | 369 | if ((y -= c[j]) < 0) { |
355 | return 2; /* bad input: more codes than bits */ | 370 | ret = 2; /* bad input: more codes than bits */ |
356 | if ((y -= c[i]) < 0) | 371 | goto out; |
357 | return 2; | 372 | } |
373 | if ((y -= c[i]) < 0) { | ||
374 | ret = 2; | ||
375 | goto out; | ||
376 | } | ||
358 | c[i] += y; | 377 | c[i] += y; |
359 | 378 | ||
360 | DEBG("huft4 "); | 379 | DEBG("huft4 "); |
@@ -428,7 +447,8 @@ DEBG1("3 "); | |||
428 | { | 447 | { |
429 | if (h) | 448 | if (h) |
430 | huft_free(u[0]); | 449 | huft_free(u[0]); |
431 | return 3; /* not enough memory */ | 450 | ret = 3; /* not enough memory */ |
451 | goto out; | ||
432 | } | 452 | } |
433 | DEBG1("4 "); | 453 | DEBG1("4 "); |
434 | hufts += z + 1; /* track memory usage */ | 454 | hufts += z + 1; /* track memory usage */ |
@@ -492,7 +512,11 @@ DEBG("h6f "); | |||
492 | DEBG("huft7 "); | 512 | DEBG("huft7 "); |
493 | 513 | ||
494 | /* Return true (1) if we were given an incomplete table */ | 514 | /* Return true (1) if we were given an incomplete table */ |
495 | return y != 0 && g != 1; | 515 | ret = y != 0 && g != 1; |
516 | |||
517 | out: | ||
518 | free(stk); | ||
519 | return ret; | ||
496 | } | 520 | } |
497 | 521 | ||
498 | 522 | ||
@@ -705,10 +729,14 @@ STATIC int noinline INIT inflate_fixed(void) | |||
705 | struct huft *td; /* distance code table */ | 729 | struct huft *td; /* distance code table */ |
706 | int bl; /* lookup bits for tl */ | 730 | int bl; /* lookup bits for tl */ |
707 | int bd; /* lookup bits for td */ | 731 | int bd; /* lookup bits for td */ |
708 | unsigned l[288]; /* length list for huft_build */ | 732 | unsigned *l; /* length list for huft_build */ |
709 | 733 | ||
710 | DEBG("<fix"); | 734 | DEBG("<fix"); |
711 | 735 | ||
736 | l = malloc(sizeof(*l) * 288); | ||
737 | if (l == NULL) | ||
738 | return 3; /* out of memory */ | ||
739 | |||
712 | /* set up literal table */ | 740 | /* set up literal table */ |
713 | for (i = 0; i < 144; i++) | 741 | for (i = 0; i < 144; i++) |
714 | l[i] = 8; | 742 | l[i] = 8; |
@@ -719,9 +747,10 @@ DEBG("<fix"); | |||
719 | for (; i < 288; i++) /* make a complete, but wrong code set */ | 747 | for (; i < 288; i++) /* make a complete, but wrong code set */ |
720 | l[i] = 8; | 748 | l[i] = 8; |
721 | bl = 7; | 749 | bl = 7; |
722 | if ((i = huft_build(l, 288, 257, cplens, cplext, &tl, &bl)) != 0) | 750 | if ((i = huft_build(l, 288, 257, cplens, cplext, &tl, &bl)) != 0) { |
751 | free(l); | ||
723 | return i; | 752 | return i; |
724 | 753 | } | |
725 | 754 | ||
726 | /* set up distance table */ | 755 | /* set up distance table */ |
727 | for (i = 0; i < 30; i++) /* make an incomplete code set */ | 756 | for (i = 0; i < 30; i++) /* make an incomplete code set */ |
@@ -730,6 +759,7 @@ DEBG("<fix"); | |||
730 | if ((i = huft_build(l, 30, 0, cpdist, cpdext, &td, &bd)) > 1) | 759 | if ((i = huft_build(l, 30, 0, cpdist, cpdext, &td, &bd)) > 1) |
731 | { | 760 | { |
732 | huft_free(tl); | 761 | huft_free(tl); |
762 | free(l); | ||
733 | 763 | ||
734 | DEBG(">"); | 764 | DEBG(">"); |
735 | return i; | 765 | return i; |
@@ -737,11 +767,13 @@ DEBG("<fix"); | |||
737 | 767 | ||
738 | 768 | ||
739 | /* decompress until an end-of-block code */ | 769 | /* decompress until an end-of-block code */ |
740 | if (inflate_codes(tl, td, bl, bd)) | 770 | if (inflate_codes(tl, td, bl, bd)) { |
771 | free(l); | ||
741 | return 1; | 772 | return 1; |
742 | 773 | } | |
743 | 774 | ||
744 | /* free the decoding tables, return */ | 775 | /* free the decoding tables, return */ |
776 | free(l); | ||
745 | huft_free(tl); | 777 | huft_free(tl); |
746 | huft_free(td); | 778 | huft_free(td); |
747 | return 0; | 779 | return 0; |
@@ -766,16 +798,19 @@ STATIC int noinline INIT inflate_dynamic(void) | |||
766 | unsigned nb; /* number of bit length codes */ | 798 | unsigned nb; /* number of bit length codes */ |
767 | unsigned nl; /* number of literal/length codes */ | 799 | unsigned nl; /* number of literal/length codes */ |
768 | unsigned nd; /* number of distance codes */ | 800 | unsigned nd; /* number of distance codes */ |
769 | #ifdef PKZIP_BUG_WORKAROUND | 801 | unsigned *ll; /* literal/length and distance code lengths */ |
770 | unsigned ll[288+32]; /* literal/length and distance code lengths */ | ||
771 | #else | ||
772 | unsigned ll[286+30]; /* literal/length and distance code lengths */ | ||
773 | #endif | ||
774 | register ulg b; /* bit buffer */ | 802 | register ulg b; /* bit buffer */ |
775 | register unsigned k; /* number of bits in bit buffer */ | 803 | register unsigned k; /* number of bits in bit buffer */ |
804 | int ret; | ||
776 | 805 | ||
777 | DEBG("<dyn"); | 806 | DEBG("<dyn"); |
778 | 807 | ||
808 | #ifdef PKZIP_BUG_WORKAROUND | ||
809 | ll = malloc(sizeof(*ll) * (288+32)); /* literal/length and distance code lengths */ | ||
810 | #else | ||
811 | ll = malloc(sizeof(*ll) * (286+30)); /* literal/length and distance code lengths */ | ||
812 | #endif | ||
813 | |||
779 | /* make local bit buffer */ | 814 | /* make local bit buffer */ |
780 | b = bb; | 815 | b = bb; |
781 | k = bk; | 816 | k = bk; |
@@ -796,7 +831,10 @@ DEBG("<dyn"); | |||
796 | #else | 831 | #else |
797 | if (nl > 286 || nd > 30) | 832 | if (nl > 286 || nd > 30) |
798 | #endif | 833 | #endif |
799 | return 1; /* bad lengths */ | 834 | { |
835 | ret = 1; /* bad lengths */ | ||
836 | goto out; | ||
837 | } | ||
800 | 838 | ||
801 | DEBG("dyn1 "); | 839 | DEBG("dyn1 "); |
802 | 840 | ||
@@ -818,7 +856,8 @@ DEBG("dyn2 "); | |||
818 | { | 856 | { |
819 | if (i == 1) | 857 | if (i == 1) |
820 | huft_free(tl); | 858 | huft_free(tl); |
821 | return i; /* incomplete code set */ | 859 | ret = i; /* incomplete code set */ |
860 | goto out; | ||
822 | } | 861 | } |
823 | 862 | ||
824 | DEBG("dyn3 "); | 863 | DEBG("dyn3 "); |
@@ -840,8 +879,10 @@ DEBG("dyn3 "); | |||
840 | NEEDBITS(2) | 879 | NEEDBITS(2) |
841 | j = 3 + ((unsigned)b & 3); | 880 | j = 3 + ((unsigned)b & 3); |
842 | DUMPBITS(2) | 881 | DUMPBITS(2) |
843 | if ((unsigned)i + j > n) | 882 | if ((unsigned)i + j > n) { |
844 | return 1; | 883 | ret = 1; |
884 | goto out; | ||
885 | } | ||
845 | while (j--) | 886 | while (j--) |
846 | ll[i++] = l; | 887 | ll[i++] = l; |
847 | } | 888 | } |
@@ -850,8 +891,10 @@ DEBG("dyn3 "); | |||
850 | NEEDBITS(3) | 891 | NEEDBITS(3) |
851 | j = 3 + ((unsigned)b & 7); | 892 | j = 3 + ((unsigned)b & 7); |
852 | DUMPBITS(3) | 893 | DUMPBITS(3) |
853 | if ((unsigned)i + j > n) | 894 | if ((unsigned)i + j > n) { |
854 | return 1; | 895 | ret = 1; |
896 | goto out; | ||
897 | } | ||
855 | while (j--) | 898 | while (j--) |
856 | ll[i++] = 0; | 899 | ll[i++] = 0; |
857 | l = 0; | 900 | l = 0; |
@@ -861,8 +904,10 @@ DEBG("dyn3 "); | |||
861 | NEEDBITS(7) | 904 | NEEDBITS(7) |
862 | j = 11 + ((unsigned)b & 0x7f); | 905 | j = 11 + ((unsigned)b & 0x7f); |
863 | DUMPBITS(7) | 906 | DUMPBITS(7) |
864 | if ((unsigned)i + j > n) | 907 | if ((unsigned)i + j > n) { |
865 | return 1; | 908 | ret = 1; |
909 | goto out; | ||
910 | } | ||
866 | while (j--) | 911 | while (j--) |
867 | ll[i++] = 0; | 912 | ll[i++] = 0; |
868 | l = 0; | 913 | l = 0; |
@@ -891,7 +936,8 @@ DEBG("dyn5b "); | |||
891 | error("incomplete literal tree"); | 936 | error("incomplete literal tree"); |
892 | huft_free(tl); | 937 | huft_free(tl); |
893 | } | 938 | } |
894 | return i; /* incomplete code set */ | 939 | ret = i; /* incomplete code set */ |
940 | goto out; | ||
895 | } | 941 | } |
896 | DEBG("dyn5c "); | 942 | DEBG("dyn5c "); |
897 | bd = dbits; | 943 | bd = dbits; |
@@ -907,15 +953,18 @@ DEBG("dyn5d "); | |||
907 | huft_free(td); | 953 | huft_free(td); |
908 | } | 954 | } |
909 | huft_free(tl); | 955 | huft_free(tl); |
910 | return i; /* incomplete code set */ | 956 | ret = i; /* incomplete code set */ |
957 | goto out; | ||
911 | #endif | 958 | #endif |
912 | } | 959 | } |
913 | 960 | ||
914 | DEBG("dyn6 "); | 961 | DEBG("dyn6 "); |
915 | 962 | ||
916 | /* decompress until an end-of-block code */ | 963 | /* decompress until an end-of-block code */ |
917 | if (inflate_codes(tl, td, bl, bd)) | 964 | if (inflate_codes(tl, td, bl, bd)) { |
918 | return 1; | 965 | ret = 1; |
966 | goto out; | ||
967 | } | ||
919 | 968 | ||
920 | DEBG("dyn7 "); | 969 | DEBG("dyn7 "); |
921 | 970 | ||
@@ -924,10 +973,14 @@ DEBG("dyn7 "); | |||
924 | huft_free(td); | 973 | huft_free(td); |
925 | 974 | ||
926 | DEBG(">"); | 975 | DEBG(">"); |
927 | return 0; | 976 | ret = 0; |
928 | 977 | out: | |
929 | underrun: | 978 | free(ll); |
930 | return 4; /* Input underrun */ | 979 | return ret; |
980 | |||
981 | underrun: | ||
982 | ret = 4; /* Input underrun */ | ||
983 | goto out; | ||
931 | } | 984 | } |
932 | 985 | ||
933 | 986 | ||