X-Git-Url: https://asedeno.scripts.mit.edu/gitweb/?a=blobdiff_plain;f=sshzlib.c;h=c69edfb81f9a09648baa67c5cf909b3e83aaabcc;hb=068b67d2f6e9b186b3107ebcb1e88a141b7b5ebc;hp=373c77930d7a9ceeddb1ce6969011de9324f4e2a;hpb=ecd50ec3495e38d6998e88e00743f34a6ae8cc61;p=PuTTY.git

diff --git a/sshzlib.c b/sshzlib.c
index 373c7793..c69edfb8 100644
--- a/sshzlib.c
+++ b/sshzlib.c
@@ -38,6 +38,7 @@
  */
 
 #include <stdlib.h>
+#include <string.h>
 #include <assert.h>
 
 #ifdef ZLIB_STANDALONE
@@ -204,9 +205,16 @@ static void lz77_compress(struct LZ77Context *ctx,
     struct Match defermatch, matches[MAXMATCH];
     int deferchr;
 
+    assert(st->npending <= HASHCHARS);
+
     /*
      * Add any pending characters from last time to the window. (We
      * might not be able to.)
+     *
+     * This leaves st->pending empty in the usual case (when len >=
+     * HASHCHARS); otherwise it leaves st->pending empty enough that
+     * adding all the remaining 'len' characters will not push it past
+     * HASHCHARS in size.
      */
     for (i = 0; i < st->npending; i++) {
 	unsigned char foo[HASHCHARS];
@@ -224,6 +232,7 @@ static void lz77_compress(struct LZ77Context *ctx,
     }
     st->npending -= i;
 
+    defermatch.distance = 0; /* appease compiler */
     defermatch.len = 0;
     deferchr = '\0';
     while (len > 0) {
@@ -332,6 +341,7 @@ static void lz77_compress(struct LZ77Context *ctx,
 	    if (len >= HASHCHARS) {
 		lz77_advance(st, *data, lz77_hash(data));
 	    } else {
+                assert(st->npending < HASHCHARS);
 		st->pending[st->npending++] = *data;
 	    }
 	    data++;
@@ -698,9 +708,9 @@ int zlib_compress_block(void *handle, unsigned char *block, int len,
 
 	    /*
 	     * Start a Deflate (RFC1951) uncompressed block. We
-	     * transmit a zero bit (BFINAL=0), followed by a zero
-	     * bit and a one bit (BTYPE=00). Of course these are in
-	     * the wrong order (00 0).
+	     * transmit a zero bit (BFINAL=0), followed by two more
+	     * zero bits (BTYPE=00). Of course these are in the
+	     * wrong order (00 0), not that it matters.
 	     */
 	    outbits(out, 0, 3);
 
@@ -1224,6 +1234,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
 		goto finished;
 	    if (code == -2)
 		goto decode_error;
+	    if (code >= 30)            /* dist symbols 30 and 31 are invalid */
+		goto decode_error;
 	    dctx->state = GOTDISTSYM;
 	    dctx->sym = code;
 	    break;
@@ -1258,6 +1270,8 @@ int zlib_decompress_block(void *handle, unsigned char *block, int len,
 		goto finished;
 	    nlen = dctx->bits & 0xFFFF;
 	    EATBITS(16);
+	    if (dctx->uncomplen != (nlen ^ 0xFFFF))
+		goto decode_error;
 	    if (dctx->uncomplen == 0)
 		dctx->state = OUTSIDEBLK;	/* block is empty */
 	    else
@@ -1368,6 +1382,7 @@ int main(int argc, char **argv)
 
 const struct ssh_compress ssh_zlib = {
     "zlib",
+    "zlib@openssh.com", /* delayed version */
     zlib_compress_init,
     zlib_compress_cleanup,
     zlib_compress_block,