Skip to content

Commit

Permalink
Fix a bug where invalid LZW data could cause out of bounds access.
Browse files Browse the repository at this point in the history
  • Loading branch information
@madler
madler committed Aug 20, 2015
1 parent 52ca317 commit 77ae783
Showing 1 changed file with 18 additions and 14 deletions.
32 changes: 18 additions & 14 deletions pigz.c
View file
Expand Up @@ -3252,15 +3252,18 @@ local void unlzw(void)
machine instruction!) */
{
unsigned rem = ((g.in_tot - g.in_left) - mark) % bits;
if (rem)
if (rem) {
rem = bits - rem;
while (rem > g.in_left) {
rem -= g.in_left;
if (load() == 0)
break;
if (NOMORE())
break; /* end of compressed data */
while (rem > g.in_left) {
rem -= g.in_left;
if (load() == 0)
throw(EDOM, "%s: lzw premature end", g.inf);
}
g.in_left -= rem;
g.in_next += rem;
}
g.in_left -= rem;
g.in_next += rem;
}
buf = 0;
left = 0;
Expand Down Expand Up @@ -3294,15 +3297,16 @@ local void unlzw(void)
/* flush unused input bits and bytes to next 8*bits bit boundary */
{
unsigned rem = ((g.in_tot - g.in_left) - mark) % bits;
if (rem)
if (rem) {
rem = bits - rem;
while (rem > g.in_left) {
rem -= g.in_left;
if (load() == 0)
break;
while (rem > g.in_left) {
rem -= g.in_left;
if (load() == 0)
throw(EDOM, "%s: lzw premature end", g.inf);
}
g.in_left -= rem;
g.in_next += rem;
}
g.in_left -= rem;
g.in_next += rem;
}
buf = 0;
left = 0;
Expand Down

0 comments on commit 77ae783

Please sign in to comment.