The gentoo security guys found another way to segfault busybox's decompression

code: we can do a null dereference if one of our huffman tables has all zero
length codes.  This fixes it.  (Thanks solar.)

diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c
index 1b82542fe4326774cd69da383a592237e4e38d34..ea81695925324a461c56d9c8ba0278a86020285a 100644 (file)
--- a/archival/libunarchive/decompress_unzip.c
+++ b/archival/libunarchive/decompress_unzip.c
@@ -271,7 +271,7 @@ int huft_build(unsigned int *b, const unsigned int n,
        if (c[0] == n) { /* null input--all zero length codes */
                *t = (huft_t *) NULL;
                *m = 0;
-               return 0;
+               return 2;
        }
 
        /* Find minimum and maximum length, bound *m by those */