File gzip-CVE-2009-2624.diff of Package gzip

From ebdc941a5d771a70b2f3ecde4cb94e50efd95c5d Mon Sep 17 00:00:00 2001
From: Thiemo Nagel <thiemo.nagel@ph.tum.de>
Date: Sat, 29 Nov 2008 16:06:59 +0100
Subject: [PATCH] Avoid creating an undersized buffer for the hufts table.

A specific malformed input file (cf. attachment) either leads to gzip
crashing with segmentation violation or hanging in an endless loop.

Attached patch fixes the problem.
---
 inflate.c        |    6 ++++--
 1 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/inflate.c b/inflate.c
index 9f3a661..2f4954b 100644
--- a/inflate.c
+++ b/inflate.c
@@ -335,13 +335,15 @@ int *m;                 /* maximum lookup bits, returns actual */
   } while (--i);
   if (c[0] == n)                /* null input--all zero length codes */
   {
-    q = (struct huft *) malloc (2 * sizeof *q);
+    q = (struct huft *) malloc (3 * sizeof *q);
     if (!q)
       return 3;
-    hufts += 2;
+    hufts += 3;
     q[0].v.t = (struct huft *) NULL;
     q[1].e = 99;    /* invalid code marker */
     q[1].b = 1;
+    q[2].e = 99;    /* invalid code marker */
+    q[2].b = 1;
     *t = q + 1;
     *m = 1;
     return 0;
-- 
1.5.6.5