aboutsummaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
diff options
context:
space:
mode:
Diffstat (limited to 'meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch')
-rw-r--r--meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch77
1 files changed, 77 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
new file mode 100644
index 0000000000..4f0d2c6975
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib-1.2.8/CVE-2016-9840.patch
@@ -0,0 +1,77 @@
+commit 6a043145ca6e9c55184013841a67b2fef87e44c0
+Author: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed Sep 21 23:35:50 2016 -0700
+
+ Remove offset pointer optimization in inftrees.c.
+
+ inftrees.c was subtracting an offset from a pointer to an array,
+ in order to provide a pointer that allowed indexing starting at
+ the offset. This is not compliant with the C standard, for which
+ the behavior of a pointer decremented before its allocated memory
+ is undefined. Per the recommendation of a security audit of the
+ zlib code by Trail of Bits and TrustInSoft, in support of the
+ Mozilla Foundation, this tiny optimization was removed, in order
+ to avoid the possibility of undefined behavior.
+
+Upstream-Status: Backport
+http://http.debian.net/debian/pool/main/z/zlib/zlib_1.2.8.dfsg-5.debian.tar.xz
+https://github.com/madler/zlib/commit/6a043145ca6e9c55184013841a67b2fef87e44c0
+
+CVE: CVE-2016-9840
+
+Signed-off-by: George McCollister <george.mccollister@gmail.com>
+
+diff --git a/inftrees.c b/inftrees.c
+index 22fcd66..0d2670d 100644
+--- a/inftrees.c
++++ b/inftrees.c
+@@ -54,7 +54,7 @@ unsigned short FAR *work;
+ code FAR *next; /* next available space in table */
+ const unsigned short FAR *base; /* base value table to use */
+ const unsigned short FAR *extra; /* extra bits table to use */
+- int end; /* use base and extra for symbol > end */
++ unsigned match; /* use base and extra for symbol >= match */
+ unsigned short count[MAXBITS+1]; /* number of codes of each length */
+ unsigned short offs[MAXBITS+1]; /* offsets in table for each length */
+ static const unsigned short lbase[31] = { /* Length codes 257..285 base */
+@@ -181,19 +181,17 @@ unsigned short FAR *work;
+ switch (type) {
+ case CODES:
+ base = extra = work; /* dummy value--not used */
+- end = 19;
++ match = 20;
+ break;
+ case LENS:
+ base = lbase;
+- base -= 257;
+ extra = lext;
+- extra -= 257;
+- end = 256;
++ match = 257;
+ break;
+ default: /* DISTS */
+ base = dbase;
+ extra = dext;
+- end = -1;
++ match = 0;
+ }
+
+ /* initialize state for loop */
+@@ -216,13 +214,13 @@ unsigned short FAR *work;
+ for (;;) {
+ /* create table entry */
+ here.bits = (unsigned char)(len - drop);
+- if ((int)(work[sym]) < end) {
++ if (work[sym] + 1 < match) {
+ here.op = (unsigned char)0;
+ here.val = work[sym];
+ }
+- else if ((int)(work[sym]) > end) {
+- here.op = (unsigned char)(extra[work[sym]]);
+- here.val = base[work[sym]];
++ else if (work[sym] >= match) {
++ here.op = (unsigned char)(extra[work[sym] - match]);
++ here.val = base[work[sym] - match];
+ }
+ else {
+ here.op = (unsigned char)(32 + 64); /* end of block */