From: Rob Landley <rob@landley.net>
Date: Mon, 20 Feb 2006 02:18:03 +0000 (-0000)
Subject: The gentoo security guys found another way to segfault busybox's decompression
X-Git-Tag: 1_1_0~192
X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=eb00afb2d5bf926b08a8a9b3ca59298c2a32d8b9;p=oweals%2Fbusybox.git

The gentoo security guys found another way to segfault busybox's decompression
code: we can do a null dereference if one of our huffman tables has all zero
length codes.  This fixes it.  (Thanks solar.)
---

diff --git a/archival/libunarchive/decompress_unzip.c b/archival/libunarchive/decompress_unzip.c
index 1b82542fe..ea8169592 100644
--- a/archival/libunarchive/decompress_unzip.c
+++ b/archival/libunarchive/decompress_unzip.c
@@ -271,7 +271,7 @@ int huft_build(unsigned int *b, const unsigned int n,
 	if (c[0] == n) { /* null input--all zero length codes */
 		*t = (huft_t *) NULL;
 		*m = 0;
-		return 0;
+		return 2;
 	}
 
 	/* Find minimum and maximum length, bound *m by those */