This is an automated email from the git hooks/post-receive script. x2go pushed a change to branch 3.6.x in repository nx-libs. from 26cfe93 fix 3.5.0.29 changelog entry new 18e337d Revert "Do proper input validation to fix for CVE-2011-2895." new 65deb86 Do proper input validation to fix for CVE-2011-2895. The 2 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "adds" were already present in the repository and have only been added to this reference. Summary of changes: nx-X11/lib/font/fontfile/decompress.c | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit 18e337ddf410accec5bdf18c5d28bbd5f3ace7cb Author: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> Date: Mon Feb 16 10:29:14 2015 +0100 Revert "Do proper input validation to fix for CVE-2011-2895." This reverts commit 6acafc9334828da22446380c81af81bde14b5d86. --- nx-X11/lib/font/fontfile/decompress.c | 31 ++++++++++++++----------------- 1 file changed, 14 insertions(+), 17 deletions(-) diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c index 12b9f0a..553b315 100644 --- a/nx-X11/lib/font/fontfile/decompress.c +++ b/nx-X11/lib/font/fontfile/decompress.c @@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 65300 +#define STACK_SIZE 8192 typedef struct _compressedFILE { BufFilePtr file; @@ -180,12 +180,14 @@ BufFilePushCompressed (BufFilePtr f) file->tab_suffix[code] = (char_type) code; } file->free_ent = ((file->block_compress) ? FIRST : 256 ); - file->oldcode = -1; file->clear_flg = 0; file->offset = 0; file->size = 0; file->stackp = file->de_stack; bzero(file->buf, BITS); + file->finchar = file->oldcode = getcode (file); + if (file->oldcode != -1) + *file->stackp++ = file->finchar; return BufFileCreate ((char *) file, BufCompressedFill, 0, @@ -230,6 +232,9 @@ BufCompressedFill (BufFilePtr f) if (buf == bufend) break; + if (oldcode == -1) + break; + code = getcode (file); if (code == -1) break; @@ -238,34 +243,26 @@ BufCompressedFill (BufFilePtr f) for ( code = 255; code >= 0; code-- ) file->tab_prefix[code] = 0; file->clear_flg = 1; - file->free_ent = FIRST; - oldcode = -1; - continue; + file->free_ent = FIRST - 1; + if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ + break; } incode = code; /* * Special case for KwKwK string. */ if ( code >= file->free_ent ) { - if ( code > file->free_ent || oldcode == -1 ) { - /* Bad stream. */ - return BUFFILEEOF; - } *stackp++ = finchar; code = oldcode; } -+ /* -+ * The above condition ensures that code < free_ent. -+ * The construction of tab_prefixof in turn guarantees that -+ * each iteration decreases code and therefore stack usage is -+ * bound by 1 << BITS - 256. -+ */ - + /* * Generate output characters in reverse order */ while ( code >= 256 ) { + if (stackp - de_stack >= STACK_SIZE - 1) + return BUFFILEEOF; *stackp++ = file->tab_suffix[code]; code = file->tab_prefix[code]; } @@ -275,7 +272,7 @@ BufCompressedFill (BufFilePtr f) /* * Generate the new entry. */ - if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + if ( (code=file->free_ent) < file->maxmaxcode ) { file->tab_prefix[code] = (unsigned short)oldcode; file->tab_suffix[code] = finchar; file->free_ent = code+1; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
This is an automated email from the git hooks/post-receive script. x2go pushed a commit to branch 3.6.x in repository nx-libs. commit 65deb86f8dab0c88e051b5ac416b7907433aa849 Author: Joerg Sonnenberger <joerg@britannica.bec.de> Date: Sun Aug 21 18:51:53 2011 +0200 Do proper input validation to fix for CVE-2011-2895. It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com> --- nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++-------------- 1 file changed, 17 insertions(+), 14 deletions(-) diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c index 553b315..c7e649f 100644 --- a/nx-X11/lib/font/fontfile/decompress.c +++ b/nx-X11/lib/font/fontfile/decompress.c @@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 8192 +#define STACK_SIZE 65300 typedef struct _compressedFILE { BufFilePtr file; @@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) file->tab_suffix[code] = (char_type) code; } file->free_ent = ((file->block_compress) ? FIRST : 256 ); + file->oldcode = -1; file->clear_flg = 0; file->offset = 0; file->size = 0; file->stackp = file->de_stack; bzero(file->buf, BITS); - file->finchar = file->oldcode = getcode (file); - if (file->oldcode != -1) - *file->stackp++ = file->finchar; return BufFileCreate ((char *) file, BufCompressedFill, 0, @@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) if (buf == bufend) break; - if (oldcode == -1) - break; - code = getcode (file); if (code == -1) break; @@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f) for ( code = 255; code >= 0; code-- ) file->tab_prefix[code] = 0; file->clear_flg = 1; - file->free_ent = FIRST - 1; - if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ - break; + file->free_ent = FIRST; + oldcode = -1; + continue; } incode = code; /* * Special case for KwKwK string. */ if ( code >= file->free_ent ) { + if ( code > file->free_ent || oldcode == -1 ) { + /* Bad stream. */ + return BUFFILEEOF; + } *stackp++ = finchar; code = oldcode; } - + /* + * The above condition ensures that code < free_ent. + * The construction of tab_prefixof in turn guarantees that + * each iteration decreases code and therefore stack usage is + * bound by 1 << BITS - 256. + */ + /* * Generate output characters in reverse order */ while ( code >= 256 ) { - if (stackp - de_stack >= STACK_SIZE - 1) - return BUFFILEEOF; *stackp++ = file->tab_suffix[code]; code = file->tab_prefix[code]; } @@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f) /* * Generate the new entry. */ - if ( (code=file->free_ent) < file->maxmaxcode ) { + if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { file->tab_prefix[code] = (unsigned short)oldcode; file->tab_suffix[code] = finchar; file->free_ent = code+1; -- Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
-
git-admin@x2go.org