From e61ae9a1f95a0c62a98d9ce29ca5a2cce59f9795 Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Sun, 11 Dec 2016 21:32:19 +0100 Subject: [PATCH 01/11] - pass a proper self pointer to BuiltinCallActionSpecial instead of making bogus assumptions about a function's parameters. --- src/scripting/codegeneration/codegen.cpp | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/scripting/codegeneration/codegen.cpp b/src/scripting/codegeneration/codegen.cpp index 06cdfbd06..1ec74052a 100644 --- a/src/scripting/codegeneration/codegen.cpp +++ b/src/scripting/codegeneration/codegen.cpp @@ -7083,7 +7083,7 @@ FxExpression *FxFunctionCall::Resolve(FCompileContext& ctx) delete this; return nullptr; } - FxExpression *self = (ctx.Function && ctx.Function->Variants[0].Flags & VARF_Method) ? new FxSelf(ScriptPosition) : nullptr; + FxExpression *self = (ctx.Function && ctx.Function->Variants[0].Flags & VARF_Method) ? new FxSelf(ScriptPosition) : (FxExpression*)new FxConstant(ScriptPosition); FxExpression *x = new FxActionSpecialCall(self, special, ArgList, ScriptPosition); delete this; return x->Resolve(ctx); @@ -7655,9 +7655,9 @@ ExpEmit FxActionSpecialCall::Emit(VMFunctionBuilder *build) unsigned i = 0; build->Emit(OP_PARAMI, abs(Special)); // pass special number - // fixme: This really should use the Self pointer that got passed to this class instead of just using the first argument from the function. - // Once static functions are possible, or specials can be called through a member access operator this won't work anymore. - build->Emit(OP_PARAM, 0, REGT_POINTER, 0); // pass self + + ExpEmit selfemit(Self->Emit(build)); + build->Emit(OP_PARAM, 0, selfemit.Konst ? REGT_POINTER | REGT_KONST : REGT_POINTER, selfemit.RegNum); // pass special number for (; i < ArgList.Size(); ++i) { FxExpression *argex = ArgList[i]; From 77d9978b278bda04dc5ead665423f3a3f44f48db Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Sun, 11 Dec 2016 21:39:35 +0100 Subject: [PATCH 02/11] - fixed: Non-Actors cannot act as activators for action specials and must pass null when acticating one. --- src/scripting/codegeneration/codegen.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/scripting/codegeneration/codegen.cpp b/src/scripting/codegeneration/codegen.cpp index 1ec74052a..90fbcfe68 100644 --- a/src/scripting/codegeneration/codegen.cpp +++ b/src/scripting/codegeneration/codegen.cpp @@ -7083,7 +7083,7 @@ FxExpression *FxFunctionCall::Resolve(FCompileContext& ctx) delete this; return nullptr; } - FxExpression *self = (ctx.Function && ctx.Function->Variants[0].Flags & VARF_Method) ? new FxSelf(ScriptPosition) : (FxExpression*)new FxConstant(ScriptPosition); + FxExpression *self = (ctx.Function && (ctx.Function->Variants[0].Flags & VARF_Method) && ctx.Class->IsKindOf(RUNTIME_CLASS(PClassActor))) ? new FxSelf(ScriptPosition) : (FxExpression*)new FxConstant(ScriptPosition); FxExpression *x = new FxActionSpecialCall(self, special, ArgList, ScriptPosition); delete this; return x->Resolve(ctx); From 56a42a26b2dc85abd4d957604171516819bbbef8 Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Mon, 12 Dec 2016 12:32:48 +0100 Subject: [PATCH 03/11] - fixed: DPSprite's constructor did not initialize the 'Sprite' member variable. This can cause problems if some weapon starts with a placeholder sprite in the first state. --- src/p_pspr.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/p_pspr.cpp b/src/p_pspr.cpp index 3ef74da73..238412bb6 100644 --- a/src/p_pspr.cpp +++ b/src/p_pspr.cpp @@ -136,6 +136,7 @@ DPSprite::DPSprite(player_t *owner, AActor *caller, int id) : x(.0), y(.0), oldx(.0), oldy(.0), firstTic(true), + Sprite(0), Flags(0), Caller(caller), Owner(owner), From f3762934e3d314105a3a67351845a37c26b550a8 Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Mon, 12 Dec 2016 12:50:17 +0100 Subject: [PATCH 04/11] - fixed: A_AlertMonsters lost one 'self.' during conversion. --- wadsrc/static/zscript/strife/strifefunctions.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wadsrc/static/zscript/strife/strifefunctions.txt b/wadsrc/static/zscript/strife/strifefunctions.txt index 3a0dec22f..ed6c3854e 100644 --- a/wadsrc/static/zscript/strife/strifefunctions.txt +++ b/wadsrc/static/zscript/strife/strifefunctions.txt @@ -164,7 +164,7 @@ extend class Actor { target = self; } - else if (target != null && (self.target.player != null || (Flags & AMF_TARGETNONPLAYER))) + else if (self.target != null && (self.target.player != null || (Flags & AMF_TARGETNONPLAYER))) { target = self.target; } From 5e171824acfe7e352c187517a837cc2c37b92f7d Mon Sep 17 00:00:00 2001 From: Rachael Alexanderson Date: Sun, 11 Dec 2016 18:22:50 -0500 Subject: [PATCH 05/11] - "myinfo" - executes info on oneself - "targetinv" - executes "printinv" at current crosshair target --- src/c_cmds.cpp | 10 ++++++++++ src/g_inventory/a_pickups.cpp | 24 ++++++++++++++++++++++++ 2 files changed, 34 insertions(+) diff --git a/src/c_cmds.cpp b/src/c_cmds.cpp index 56739502e..c9e6dfe93 100644 --- a/src/c_cmds.cpp +++ b/src/c_cmds.cpp @@ -906,6 +906,16 @@ CCMD(info) "the NOBLOCKMAP flag or have height/radius of 0.\n"); } +CCMD(myinfo) +{ + if (CheckCheatmode () || players[consoleplayer].mo == NULL) return; + Printf("Target=%s, Health=%d, Spawnhealth=%d\n", + players[consoleplayer].mo->GetClass()->TypeName.GetChars(), + players[consoleplayer].mo->health, + players[consoleplayer].mo->SpawnHealth()); + PrintMiscActorInfo(players[consoleplayer].mo); +} + typedef bool (*ActorTypeChecker) (AActor *); static bool IsActorAMonster(AActor *mo) diff --git a/src/g_inventory/a_pickups.cpp b/src/g_inventory/a_pickups.cpp index bdd1b6dc6..42af5e87f 100644 --- a/src/g_inventory/a_pickups.cpp +++ b/src/g_inventory/a_pickups.cpp @@ -1598,6 +1598,30 @@ CCMD (printinv) } } +CCMD (targetinv) +{ + AInventory *item; + FTranslatedLineTarget t; + + if (CheckCheatmode () || players[consoleplayer].mo == NULL) + return; + + P_AimLineAttack(players[consoleplayer].mo,players[consoleplayer].mo->Angles.Yaw, MISSILERANGE, + &t, 0., ALF_CHECKNONSHOOTABLE|ALF_FORCENOSMART); + + if (t.linetarget) + { + for (item = t.linetarget->Inventory; item != NULL; item = item->Inventory) + { + Printf ("%s #%u (%d/%d)\n", item->GetClass()->TypeName.GetChars(), + item->InventoryID, + item->Amount, item->MaxAmount); + } + } + else Printf("No target found. Targetinv cannot find actors that have " + "the NOBLOCKMAP flag or have height/radius of 0.\n"); +} + //=========================================================================== // // AInventory :: AttachToOwner From c3cb9d20fbda0129324d51038a8a28341fe51e3e Mon Sep 17 00:00:00 2001 From: Magnus Norddahl Date: Thu, 15 Dec 2016 00:15:18 +0100 Subject: [PATCH 06/11] Fix uncleared buffer when upscaling the cursor --- src/win32/i_system.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/win32/i_system.cpp b/src/win32/i_system.cpp index 9de5a2d47..99ed4fa94 100644 --- a/src/win32/i_system.cpp +++ b/src/win32/i_system.cpp @@ -1428,6 +1428,7 @@ static HCURSOR CreateAlphaCursor(FTexture *cursorpic) { TArray unscaled; unscaled.Resize(32 * 32); + for (int i = 0; i < 32 * 32; i++) unscaled[i] = 0; FBitmap bmp((BYTE *)&unscaled[0] + 31 * 32 * 4, -32 * 4, 32, 32); cursorpic->CopyTrueColorPixels(&bmp, 0, 0); uint32_t *scaled = (uint32_t*)bits; From 8fede44c3dda241e7c8096612e2cb70482ddedb3 Mon Sep 17 00:00:00 2001 From: Rachael Alexanderson Date: Thu, 15 Dec 2016 11:37:05 -0500 Subject: [PATCH 07/11] - fixed: Some RenderStyles would crash ZDoom. --- src/r_draw.cpp | 1 + 1 file changed, 1 insertion(+) diff --git a/src/r_draw.cpp b/src/r_draw.cpp index 12aa3484b..a461e1877 100644 --- a/src/r_draw.cpp +++ b/src/r_draw.cpp @@ -175,6 +175,7 @@ namespace swrenderer { identitymap[i] = i; } + identitycolormap.Maps = identitymap; } void R_InitFuzzTable(int fuzzoff) From 9ef551b84af4392566658032217c1c851421c9ff Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Fri, 16 Dec 2016 00:26:51 +0100 Subject: [PATCH 08/11] - fixed: Start items for players were never actually checked for their type and could cause crashes if non-inventories were given. --- src/p_user.cpp | 59 ++++++++++++++++++++++++++++---------------------- 1 file changed, 33 insertions(+), 26 deletions(-) diff --git a/src/p_user.cpp b/src/p_user.cpp index e2d799834..47c64d063 100644 --- a/src/p_user.cpp +++ b/src/p_user.cpp @@ -1366,42 +1366,49 @@ void APlayerPawn::GiveDefaultInventory () PClassActor *ti = PClass::FindActor (di->Name); if (ti) { - AInventory *item = FindInventory (ti); - if (item != NULL) + if (!ti->IsDescendantOf(RUNTIME_CLASS(AInventory))) { - item->Amount = clamp( - item->Amount + (di->Amount ? di->Amount : ((AInventory *)item->GetDefault ())->Amount), - 0, item->MaxAmount); + Printf(TEXTCOLOR_ORANGE "%s is not an inventory item and cannot be given to a player as start item.\n", ti->TypeName.GetChars()); } else { - item = static_cast(Spawn (ti)); - item->ItemFlags |= IF_IGNORESKILL; // no skill multiplicators here - item->Amount = di->Amount; - if (item->IsKindOf (RUNTIME_CLASS (AWeapon))) + AInventory *item = FindInventory(ti); + if (item != NULL) { - // To allow better control any weapon is emptied of - // ammo before being given to the player. - static_cast(item)->AmmoGive1 = - static_cast(item)->AmmoGive2 = 0; + item->Amount = clamp( + item->Amount + (di->Amount ? di->Amount : ((AInventory *)item->GetDefault())->Amount), + 0, item->MaxAmount); } - AActor *check; - if (!item->CallTryPickup(this, &check)) + else { - if (check != this) + item = static_cast(Spawn(ti)); + item->ItemFlags |= IF_IGNORESKILL; // no skill multiplicators here + item->Amount = di->Amount; + if (item->IsKindOf(RUNTIME_CLASS(AWeapon))) { - // Player was morphed. This is illegal at game start. - // This problem is only detectable when it's too late to do something about it... - I_Error("Cannot give morph items when starting a game"); + // To allow better control any weapon is emptied of + // ammo before being given to the player. + static_cast(item)->AmmoGive1 = + static_cast(item)->AmmoGive2 = 0; + } + AActor *check; + if (!item->CallTryPickup(this, &check)) + { + if (check != this) + { + // Player was morphed. This is illegal at game start. + // This problem is only detectable when it's too late to do something about it... + I_Error("Cannot give morph items when starting a game"); + } + item->Destroy(); + item = NULL; } - item->Destroy (); - item = NULL; } - } - if (item != NULL && item->IsKindOf (RUNTIME_CLASS (AWeapon)) && - static_cast(item)->CheckAmmo(AWeapon::EitherFire, false)) - { - player->ReadyWeapon = player->PendingWeapon = static_cast (item); + if (item != NULL && item->IsKindOf(RUNTIME_CLASS(AWeapon)) && + static_cast(item)->CheckAmmo(AWeapon::EitherFire, false)) + { + player->ReadyWeapon = player->PendingWeapon = static_cast (item); + } } } di = di->Next; From 7ca5851f785ef6613706b7c593554b4fc94c853b Mon Sep 17 00:00:00 2001 From: Christoph Oelckers Date: Fri, 16 Dec 2016 08:05:29 +0100 Subject: [PATCH 09/11] - fixed a second spot in RapidJSON where a bad NaN check was done. --- src/rapidjson/writer.h | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/src/rapidjson/writer.h b/src/rapidjson/writer.h index a8eeab66d..a288f07ff 100644 --- a/src/rapidjson/writer.h +++ b/src/rapidjson/writer.h @@ -524,8 +524,13 @@ template<> inline bool Writer::WriteDouble(double d) { if (internal::Double(d).IsNanOrInf()) { // Note: This code path can only be reached if (RAPIDJSON_WRITE_DEFAULT_FLAGS & kWriteNanAndInfFlag). - if (!(kWriteDefaultFlags & kWriteNanAndInfFlag)) - return false; + if (!(kWriteDefaultFlags & kWriteNanAndInfFlag)) + { + // At least ensure that the output does not get broken. + PutReserve(*os_, 1); + PutUnsafe(*os_, '0'); + return false; + } if (internal::Double(d).IsNan()) { PutReserve(*os_, 3); PutUnsafe(*os_, 'N'); PutUnsafe(*os_, 'a'); PutUnsafe(*os_, 'N'); From 7aaa03d3e02fbbfc51a5a548befafbae484fa266 Mon Sep 17 00:00:00 2001 From: Edoardo Prezioso Date: Fri, 16 Dec 2016 16:30:21 +0100 Subject: [PATCH 10/11] - Import GME fix to critical security bug. Details at the following link: https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html . --- game-music-emu/gme/Spc_Cpu.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/game-music-emu/gme/Spc_Cpu.h b/game-music-emu/gme/Spc_Cpu.h index 0ce7af7de..ba2ca7a81 100644 --- a/game-music-emu/gme/Spc_Cpu.h +++ b/game-music-emu/gme/Spc_Cpu.h @@ -76,8 +76,8 @@ Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA */ // TODO: remove non-wrapping versions? #define SPC_NO_SP_WRAPAROUND 0 -#define SET_SP( v ) (sp = ram + 0x101 + (v)) -#define GET_SP() (int(sp - 0x101 - ram)) +#define SET_SP( v ) (sp = ram + 0x101 + ((uint8_t) v)) +#define GET_SP() (uint8_t) (sp - 0x101 - ram) #if SPC_NO_SP_WRAPAROUND #define PUSH16( v ) (sp -= 2, SET_LE16( sp, v )) @@ -485,7 +485,7 @@ loop: case 0xAF: // MOV (X)+,A WRITE_DP( 0, x, a + no_read_before_write ); - x++; + x = (uint8_t) (x + 1); goto loop; // 5. 8-BIT LOGIC OPERATION COMMANDS @@ -808,7 +808,7 @@ loop: unsigned temp = y * a; a = (uint8_t) temp; nz = ((temp >> 1) | temp) & 0x7F; - y = temp >> 8; + y = (uint8_t) (temp >> 8); nz |= y; goto loop; } @@ -838,6 +838,7 @@ loop: nz = (uint8_t) a; a = (uint8_t) a; + y = (uint8_t) y; goto loop; } @@ -1004,7 +1005,7 @@ loop: case 0x7F: // RET1 temp = *sp; SET_PC( GET_LE16( sp + 1 ) ); - sp += 3; + SET_SP(GET_SP() + 3); goto set_psw; case 0x8E: // POP PSW POP( temp ); From 14c282da30555e84b8d61a060e38d162bd455bb0 Mon Sep 17 00:00:00 2001 From: Edoardo Prezioso Date: Fri, 16 Dec 2016 17:06:37 +0100 Subject: [PATCH 11/11] - Upgrade bzip2 to version 1.0.6. Includes a fix for CVE-2010-0405. --- bzip2/CHANGES | 12 ++++++++++-- bzip2/LICENSE | 4 ++-- bzip2/README | 9 +++++++-- bzip2/blocksort.c | 4 ++-- bzip2/bzlib.c | 4 ++-- bzip2/bzlib.h | 4 ++-- bzip2/bzlib_private.h | 6 +++--- bzip2/compress.c | 4 ++-- bzip2/crctable.c | 4 ++-- bzip2/decompress.c | 24 ++++++++++++++++++++++-- bzip2/huffman.c | 4 ++-- bzip2/randtable.c | 4 ++-- 12 files changed, 58 insertions(+), 25 deletions(-) diff --git a/bzip2/CHANGES b/bzip2/CHANGES index 6e4f65e2e..81e97ca6f 100644 --- a/bzip2/CHANGES +++ b/bzip2/CHANGES @@ -2,8 +2,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -317,3 +317,11 @@ Fixes some minor bugs since the last version, 1.0.3. ~~~~~~~~~~~~~~~~~ Security fix only. Fixes CERT-FI 20469 as it applies to bzip2. + +1.0.6 (6 Sept 10) +~~~~~~~~~~~~~~~~~ + +* Security fix for CVE-2010-0405. This was reported by Mikolaj + Izdebski. + +* Make the documentation build on Ubuntu 10.04 diff --git a/bzip2/LICENSE b/bzip2/LICENSE index f420cffb6..cc614178c 100644 --- a/bzip2/LICENSE +++ b/bzip2/LICENSE @@ -2,7 +2,7 @@ -------------------------------------------------------------------------- This program, "bzip2", the associated library "libbzip2", and all -documentation, are copyright (C) 1996-2007 Julian R Seward. All +documentation, are copyright (C) 1996-2010 Julian R Seward. All rights reserved. Redistribution and use in source and binary forms, with or without @@ -37,6 +37,6 @@ NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Julian Seward, jseward@bzip.org -bzip2/libbzip2 version 1.0.5 of 10 December 2007 +bzip2/libbzip2 version 1.0.6 of 6 September 2010 -------------------------------------------------------------------------- diff --git a/bzip2/README b/bzip2/README index e17a84e04..9fb0f6360 100644 --- a/bzip2/README +++ b/bzip2/README @@ -6,8 +6,8 @@ This version is fully compatible with the previous public releases. This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. -bzip2/libbzip2 version 1.0.5 of 10 December 2007 -Copyright (C) 1996-2007 Julian Seward +bzip2/libbzip2 version 1.0.6 of 6 September 2010 +Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in this file. @@ -181,6 +181,10 @@ WHAT'S NEW IN 1.0.5 ? See the CHANGES file. +WHAT'S NEW IN 1.0.6 ? + + See the CHANGES file. + I hope you find bzip2 useful. Feel free to contact me at jseward@bzip.org @@ -208,3 +212,4 @@ Cambridge, UK. 15 February 2005 (bzip2, version 1.0.3) 20 December 2006 (bzip2, version 1.0.4) 10 December 2007 (bzip2, version 1.0.5) + 6 Sept 2010 (bzip2, version 1.0.6) diff --git a/bzip2/blocksort.c b/bzip2/blocksort.c index bd2dec157..d0d662cd4 100644 --- a/bzip2/blocksort.c +++ b/bzip2/blocksort.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/bzlib.c b/bzip2/bzlib.c index 82385bfcf..9db864ef2 100644 --- a/bzip2/bzlib.c +++ b/bzip2/bzlib.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/bzlib.h b/bzip2/bzlib.h index a42a1a30a..8a6e58f0a 100644 --- a/bzip2/bzlib.h +++ b/bzip2/bzlib.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/bzlib_private.h b/bzip2/bzlib_private.h index 23427879b..5d0217f46 100644 --- a/bzip2/bzlib_private.h +++ b/bzip2/bzlib_private.h @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -36,7 +36,7 @@ /*-- General stuff. --*/ -#define BZ_VERSION "1.0.5, 10-Dec-2007" +#define BZ_VERSION "1.0.6, 6-Sept-2010" typedef char Char; typedef unsigned char Bool; diff --git a/bzip2/compress.c b/bzip2/compress.c index b5df41b12..9e944ab67 100644 --- a/bzip2/compress.c +++ b/bzip2/compress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/crctable.c b/bzip2/crctable.c index 215687b2c..1fea7e946 100644 --- a/bzip2/crctable.c +++ b/bzip2/crctable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/decompress.c b/bzip2/decompress.c index bba5e0fa3..311f5668f 100644 --- a/bzip2/decompress.c +++ b/bzip2/decompress.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. @@ -381,6 +381,13 @@ Int32 BZ2_decompress ( DState* s ) es = -1; N = 1; do { + /* Check that N doesn't get too big, so that es doesn't + go negative. The maximum value that can be + RUNA/RUNB encoded is equal to the block size (post + the initial RLE), viz, 900k, so bounding N at 2 + million should guard against overflow without + rejecting any legitimate inputs. */ + if (N >= 2*1024*1024) RETURN(BZ_DATA_ERROR); if (nextSym == BZ_RUNA) es = es + (0+1) * N; else if (nextSym == BZ_RUNB) es = es + (1+1) * N; N = N * 2; @@ -485,15 +492,28 @@ Int32 BZ2_decompress ( DState* s ) RETURN(BZ_DATA_ERROR); /*-- Set up cftab to facilitate generation of T^(-1) --*/ + /* Check: unzftab entries in range. */ + for (i = 0; i <= 255; i++) { + if (s->unzftab[i] < 0 || s->unzftab[i] > nblock) + RETURN(BZ_DATA_ERROR); + } + /* Actually generate cftab. */ s->cftab[0] = 0; for (i = 1; i <= 256; i++) s->cftab[i] = s->unzftab[i-1]; for (i = 1; i <= 256; i++) s->cftab[i] += s->cftab[i-1]; + /* Check: cftab entries in range. */ for (i = 0; i <= 256; i++) { if (s->cftab[i] < 0 || s->cftab[i] > nblock) { /* s->cftab[i] can legitimately be == nblock */ RETURN(BZ_DATA_ERROR); } } + /* Check: cftab entries non-descending. */ + for (i = 1; i <= 256; i++) { + if (s->cftab[i-1] > s->cftab[i]) { + RETURN(BZ_DATA_ERROR); + } + } s->state_out_len = 0; s->state_out_ch = 0; diff --git a/bzip2/huffman.c b/bzip2/huffman.c index 87e79e38a..2283fdbc5 100644 --- a/bzip2/huffman.c +++ b/bzip2/huffman.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file. diff --git a/bzip2/randtable.c b/bzip2/randtable.c index 068b76367..6d6245990 100644 --- a/bzip2/randtable.c +++ b/bzip2/randtable.c @@ -8,8 +8,8 @@ This file is part of bzip2/libbzip2, a program and library for lossless, block-sorting data compression. - bzip2/libbzip2 version 1.0.5 of 10 December 2007 - Copyright (C) 1996-2007 Julian Seward + bzip2/libbzip2 version 1.0.6 of 6 September 2010 + Copyright (C) 1996-2010 Julian Seward Please read the WARNING, DISCLAIMER and PATENTS sections in the README file.