*** libclamav/inflate64_priv.h.ORIG Thu Mar 27 17:35:30 2008 --- libclamav/inflate64_priv.h Thu Mar 27 17:35:47 2008 *************** *** 125,131 **** CHECK, /* i: waiting for 32-bit check value */ LENGTH, /* i: waiting for 32-bit length (gzip) */ DONE, /* finished check, done -- remain here until reset */ ! BAD, /* got a data error -- remain here until reset */ MEM, /* got an inflate() memory error -- remain here until reset */ SYNC /* looking for synchronization bytes to restart inflate() */ } inflate_mode; --- 125,131 ---- CHECK, /* i: waiting for 32-bit check value */ LENGTH, /* i: waiting for 32-bit length (gzip) */ DONE, /* finished check, done -- remain here until reset */ ! mpBAD, /* got a data error -- remain here until reset */ MEM, /* got an inflate() memory error -- remain here until reset */ SYNC /* looking for synchronization bytes to restart inflate() */ } inflate_mode; *** libclamav/inflate64.c.ORIG Thu Mar 27 17:35:24 2008 --- libclamav/inflate64.c Thu Mar 27 17:36:27 2008 *************** *** 416,432 **** NEEDBITS(16); if ( ((BITS(8) << 8) + (hold >> 8)) % 31) { ! state->mode = BAD; break; } if (BITS(4) != Z_DEFLATED) { ! state->mode = BAD; break; } DROPBITS(4); len = BITS(4) + 8; if (len > state->wbits) { ! state->mode = BAD; break; } state->dmax = 1U << len; --- 416,432 ---- NEEDBITS(16); if ( ((BITS(8) << 8) + (hold >> 8)) % 31) { ! state->mode = mpBAD; break; } if (BITS(4) != Z_DEFLATED) { ! state->mode = mpBAD; break; } DROPBITS(4); len = BITS(4) + 8; if (len > state->wbits) { ! state->mode = mpBAD; break; } state->dmax = 1U << len; *************** *** 472,478 **** state->mode = TABLE; break; case 3: ! state->mode = BAD; } DROPBITS(2); break; --- 472,478 ---- state->mode = TABLE; break; case 3: ! state->mode = mpBAD; } DROPBITS(2); break; *************** *** 480,486 **** BYTEBITS(); /* go to byte boundary */ NEEDBITS(32); if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) { ! state->mode = BAD; break; } state->length = (unsigned)hold & 0xffff; --- 480,486 ---- BYTEBITS(); /* go to byte boundary */ NEEDBITS(32); if ((hold & 0xffff) != ((hold >> 16) ^ 0xffff)) { ! state->mode = mpBAD; break; } state->length = (unsigned)hold & 0xffff; *************** *** 515,521 **** DROPBITS(4); #ifndef PKZIP_BUG_WORKAROUND if (state->nlen > 286 || state->ndist > 30) { ! state->mode = BAD; break; } #endif --- 515,521 ---- DROPBITS(4); #ifndef PKZIP_BUG_WORKAROUND if (state->nlen > 286 || state->ndist > 30) { ! state->mode = mpBAD; break; } #endif *************** *** 536,542 **** ret = inflate_table(CODES, state->lens, 19, &(state->next), &(state->lenbits), state->work); if (ret) { ! state->mode = BAD; break; } Tracev((stderr, "inflate: code lengths ok\n")); --- 536,542 ---- ret = inflate_table(CODES, state->lens, 19, &(state->next), &(state->lenbits), state->work); if (ret) { ! state->mode = mpBAD; break; } Tracev((stderr, "inflate: code lengths ok\n")); *************** *** 559,565 **** NEEDBITS(this.bits + 2); DROPBITS(this.bits); if (state->have == 0) { ! state->mode = BAD; break; } len = state->lens[state->have - 1]; --- 559,565 ---- NEEDBITS(this.bits + 2); DROPBITS(this.bits); if (state->have == 0) { ! state->mode = mpBAD; break; } len = state->lens[state->have - 1]; *************** *** 581,587 **** DROPBITS(7); } if (state->have + copy > state->nlen + state->ndist) { ! state->mode = BAD; break; } while (copy--) --- 581,587 ---- DROPBITS(7); } if (state->have + copy > state->nlen + state->ndist) { ! state->mode = mpBAD; break; } while (copy--) *************** *** 590,596 **** } /* handle error breaks in while */ ! if (state->mode == BAD) break; /* build code tables */ state->next = state->codes; --- 590,596 ---- } /* handle error breaks in while */ ! if (state->mode == mpBAD) break; /* build code tables */ state->next = state->codes; *************** *** 599,605 **** ret = inflate_table(LENS, state->lens, state->nlen, &(state->next), &(state->lenbits), state->work); if (ret) { ! state->mode = BAD; break; } state->distcode = (code const FAR *)(state->next); --- 599,605 ---- ret = inflate_table(LENS, state->lens, state->nlen, &(state->next), &(state->lenbits), state->work); if (ret) { ! state->mode = mpBAD; break; } state->distcode = (code const FAR *)(state->next); *************** *** 607,613 **** ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist, &(state->next), &(state->distbits), state->work); if (ret) { ! state->mode = BAD; break; } Tracev((stderr, "inflate: codes ok\n")); --- 607,613 ---- ret = inflate_table(DISTS, state->lens + state->nlen, state->ndist, &(state->next), &(state->distbits), state->work); if (ret) { ! state->mode = mpBAD; break; } Tracev((stderr, "inflate: codes ok\n")); *************** *** 650,656 **** break; } if (this.op & 64) { ! state->mode = BAD; break; } state->extra = (unsigned)(this.op) & 31; --- 650,656 ---- break; } if (this.op & 64) { ! state->mode = mpBAD; break; } state->extra = (unsigned)(this.op) & 31; *************** *** 681,687 **** } DROPBITS(this.bits); if (this.op & 64) { ! state->mode = BAD; break; } Tracevv((stderr, "inflate: val %u\n", state->offset)); --- 681,687 ---- } DROPBITS(this.bits); if (this.op & 64) { ! state->mode = mpBAD; break; } Tracevv((stderr, "inflate: val %u\n", state->offset)); *************** *** 696,707 **** } #ifdef INFLATE_STRICT if (state->offset > state->dmax) { ! state->mode = BAD; break; } #endif if (state->offset > state->whave + out - left) { ! state->mode = BAD; break; } Tracevv((stderr, "inflate: distance %u\n", state->offset)); --- 696,707 ---- } #ifdef INFLATE_STRICT if (state->offset > state->dmax) { ! state->mode = mpBAD; break; } #endif if (state->offset > state->whave + out - left) { ! state->mode = mpBAD; break; } Tracevv((stderr, "inflate: distance %u\n", state->offset)); *************** *** 749,755 **** out = left; if (( REVERSE(hold)) != state->check) { ! state->mode = BAD; break; } INITBITS(); --- 749,755 ---- out = left; if (( REVERSE(hold)) != state->check) { ! state->mode = mpBAD; break; } INITBITS(); *************** *** 759,765 **** case DONE: ret = Z_STREAM_END; goto inf_leave; ! case BAD: ret = Z_DATA_ERROR; goto inf_leave; case MEM: --- 759,765 ---- case DONE: ret = Z_STREAM_END; goto inf_leave; ! case mpBAD: ret = Z_DATA_ERROR; goto inf_leave; case MEM: