Submitted By: Bruce Dubbs <bdubbs@linuxfromscratch.org>
Date: 2008-04-14
Initial Package Version: 5.52
Origin: https://bugzilla.altlinux.org/attachment.cgi?id=532
Description: The inflate_dynamic() routine (~978, inflate.c) uses a macro
NEEDBITS() that jumps execution to a cleanup routine on error, this
routine attempts to free() two buffers allocated during the inflate
process. At certain locations, the NEEDBITS() macro is used while the
pointers are not pointing to valid buffers, they are either
uninitialised or pointing inside a block that has already been free()d
(ie, not pointing at the block, but at a location inside it).

$LastChangedBy: $
$Date:  $

--- unzip-5.52/inflate.c
+++ unzip-5.52/inflate.c
@@ -983,6 +983,7 @@
   unsigned l;           /* last length */
   unsigned m;           /* mask for bit lengths table */
   unsigned n;           /* number of lengths to get */
+  struct huft *tlp;     
   struct huft *tl;      /* literal/length code table */
   struct huft *td;      /* distance code table */
   unsigned bl;          /* lookup bits for tl */
@@ -996,6 +997,8 @@
   int retval = 0;       /* error code returned: initialized to "no error" */
 
 
+  td = tlp = tl = (struct huft *)NULL;
+
   /* make local bit buffer */
   Trace((stderr, "\ndynamic block"));
   b = G.bb;
@@ -1047,9 +1050,9 @@
   while (i < n)
   {
     NEEDBITS(bl)
-    j = (td = tl + ((unsigned)b & m))->b;
+    j = (tlp = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
-    j = td->v.n;
+    j = tlp->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */
     else if (j == 16)           /* repeat last length 3 to 6 times */