Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
OpenHarmony
Third Party Zlib
提交
0e50af4c
T
Third Party Zlib
项目概览
OpenHarmony
/
Third Party Zlib
1 年多 前同步成功
通知
16
Star
112
Fork
2
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
T
Third Party Zlib
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
提交
Issue看板
提交
0e50af4c
编写于
4月 15, 2022
作者:
胡
胡逸飞
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
fix: fix CVE-2018-25032
Signed-off-by:
N
胡逸飞
<
huyifei11@h-partners.com
>
上级
c71ffa9f
变更
3
显示空白变更内容
内联
并排
Showing
3 changed file
with
81 addition
and
72 deletion
+81
-72
deflate.c
deflate.c
+55
-21
deflate.h
deflate.h
+11
-14
trees.c
trees.c
+15
-37
未找到文件。
deflate.c
浏览文件 @
0e50af4c
...
...
@@ -252,11 +252,6 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
int
wrap
=
1
;
static
const
char
my_version
[]
=
ZLIB_VERSION
;
ushf
*
overlay
;
/* We overlay pending_buf and d_buf+l_buf. This works since the average
* output size for (length,distance) codes is <= 24 bits.
*/
if
(
version
==
Z_NULL
||
version
[
0
]
!=
my_version
[
0
]
||
stream_size
!=
sizeof
(
z_stream
))
{
return
Z_VERSION_ERROR
;
...
...
@@ -326,9 +321,47 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
s
->
lit_bufsize
=
1
<<
(
memLevel
+
6
);
/* 16K elements by default */
overlay
=
(
ushf
*
)
ZALLOC
(
strm
,
s
->
lit_bufsize
,
sizeof
(
ush
)
+
2
);
s
->
pending_buf
=
(
uchf
*
)
overlay
;
s
->
pending_buf_size
=
(
ulg
)
s
->
lit_bufsize
*
(
sizeof
(
ush
)
+
2L
);
/* We overlay pending_buf and sym_buf. This works since the average size
* for length/distance pairs over any compressed block is assured to be 31
* bits or less.
*
* Analysis: The longest fixed codes are a length code of 8 bits plus 5
* extra bits, for lengths 131 to 257. The longest fixed distance codes are
* 5 bits plus 13 extra bits, for distances 16385 to 32768. The longest
* possible fixed-codes length/distance pair is then 31 bits total.
*
* sym_buf starts one-fourth of the way into pending_buf. So there are
* three bytes in sym_buf for every four bytes in pending_buf. Each symbol
* in sym_buf is three bytes -- two for the distance and one for the
* literal/length. As each symbol is consumed, the pointer to the next
* sym_buf value to read moves forward three bytes. From that symbol, up to
* 31 bits are written to pending_buf. The closest the written pending_buf
* bits gets to the next sym_buf symbol to read is just before the last
* code is written. At that time, 31*(n-2) bits have been written, just
* after 24*(n-2) bits have been consumed from sym_buf. sym_buf starts at
* 8*n bits into pending_buf. (Note that the symbol buffer fills when n-1
* symbols are written.) The closest the writing gets to what is unread is
* then n+14 bits. Here n is lit_bufsize, which is 16384 by default, and
* can range from 128 to 32768.
*
* Therefore, at a minimum, there are 142 bits of space between what is
* written and what is read in the overlain buffers, so the symbols cannot
* be overwritten by the compressed data. That space is actually 139 bits,
* due to the three-bit fixed-code block header.
*
* That covers the case where either Z_FIXED is specified, forcing fixed
* codes, or when the use of fixed codes is chosen, because that choice
* results in a smaller compressed block than dynamic codes. That latter
* condition then assures that the above analysis also covers all dynamic
* blocks. A dynamic-code block will only be chosen to be emitted if it has
* fewer bits than a fixed-code block would for the same set of symbols.
* Therefore its average symbol length is assured to be less than 31. So
* the compressed data for a dynamic block also cannot overwrite the
* symbols from which it is being constructed.
*/
s
->
pending_buf
=
(
uchf
*
)
ZALLOC
(
strm
,
s
->
lit_bufsize
,
4
);
s
->
pending_buf_size
=
(
ulg
)
s
->
lit_bufsize
*
4
;
if
(
s
->
window
==
Z_NULL
||
s
->
prev
==
Z_NULL
||
s
->
head
==
Z_NULL
||
s
->
pending_buf
==
Z_NULL
)
{
...
...
@@ -337,8 +370,12 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
deflateEnd
(
strm
);
return
Z_MEM_ERROR
;
}
s
->
d_buf
=
overlay
+
s
->
lit_bufsize
/
sizeof
(
ush
);
s
->
l_buf
=
s
->
pending_buf
+
(
1
+
sizeof
(
ush
))
*
s
->
lit_bufsize
;
s
->
sym_buf
=
s
->
pending_buf
+
s
->
lit_bufsize
;
s
->
sym_end
=
(
s
->
lit_bufsize
-
1
)
*
3
;
/* We avoid equality with lit_bufsize*3 because of wraparound at 64K
* on 16 bit machines and because stored blocks are restricted to
* 64K-1 bytes.
*/
s
->
level
=
level
;
s
->
strategy
=
strategy
;
...
...
@@ -549,7 +586,7 @@ int ZEXPORT deflatePrime (strm, bits, value)
if
(
deflateStateCheck
(
strm
))
return
Z_STREAM_ERROR
;
s
=
strm
->
state
;
if
(
(
Bytef
*
)(
s
->
d_buf
)
<
s
->
pending_out
+
((
Buf_size
+
7
)
>>
3
))
if
(
s
->
sym_buf
<
s
->
pending_out
+
((
Buf_size
+
7
)
>>
3
))
return
Z_BUF_ERROR
;
do
{
put
=
Buf_size
-
s
->
bi_valid
;
...
...
@@ -1108,7 +1145,6 @@ int ZEXPORT deflateCopy (dest, source)
#else
deflate_state
*
ds
;
deflate_state
*
ss
;
ushf
*
overlay
;
if
(
deflateStateCheck
(
source
)
||
dest
==
Z_NULL
)
{
...
...
@@ -1128,8 +1164,7 @@ int ZEXPORT deflateCopy (dest, source)
ds
->
window
=
(
Bytef
*
)
ZALLOC
(
dest
,
ds
->
w_size
,
2
*
sizeof
(
Byte
));
ds
->
prev
=
(
Posf
*
)
ZALLOC
(
dest
,
ds
->
w_size
,
sizeof
(
Pos
));
ds
->
head
=
(
Posf
*
)
ZALLOC
(
dest
,
ds
->
hash_size
,
sizeof
(
Pos
));
overlay
=
(
ushf
*
)
ZALLOC
(
dest
,
ds
->
lit_bufsize
,
sizeof
(
ush
)
+
2
);
ds
->
pending_buf
=
(
uchf
*
)
overlay
;
ds
->
pending_buf
=
(
uchf
*
)
ZALLOC
(
dest
,
ds
->
lit_bufsize
,
4
);
if
(
ds
->
window
==
Z_NULL
||
ds
->
prev
==
Z_NULL
||
ds
->
head
==
Z_NULL
||
ds
->
pending_buf
==
Z_NULL
)
{
...
...
@@ -1143,8 +1178,7 @@ int ZEXPORT deflateCopy (dest, source)
zmemcpy
(
ds
->
pending_buf
,
ss
->
pending_buf
,
(
uInt
)
ds
->
pending_buf_size
);
ds
->
pending_out
=
ds
->
pending_buf
+
(
ss
->
pending_out
-
ss
->
pending_buf
);
ds
->
d_buf
=
overlay
+
ds
->
lit_bufsize
/
sizeof
(
ush
);
ds
->
l_buf
=
ds
->
pending_buf
+
(
1
+
sizeof
(
ush
))
*
ds
->
lit_bufsize
;
ds
->
sym_buf
=
ds
->
pending_buf
+
ds
->
lit_bufsize
;
ds
->
l_desc
.
dyn_tree
=
ds
->
dyn_ltree
;
ds
->
d_desc
.
dyn_tree
=
ds
->
dyn_dtree
;
...
...
@@ -1912,7 +1946,7 @@ local block_state deflate_fast(s, flush)
FLUSH_BLOCK
(
s
,
1
);
return
finish_done
;
}
if
(
s
->
last_li
t
)
if
(
s
->
sym_nex
t
)
FLUSH_BLOCK
(
s
,
0
);
return
block_done
;
}
...
...
@@ -2043,7 +2077,7 @@ local block_state deflate_slow(s, flush)
FLUSH_BLOCK
(
s
,
1
);
return
finish_done
;
}
if
(
s
->
last_li
t
)
if
(
s
->
sym_nex
t
)
FLUSH_BLOCK
(
s
,
0
);
return
block_done
;
}
...
...
@@ -2118,7 +2152,7 @@ local block_state deflate_rle(s, flush)
FLUSH_BLOCK
(
s
,
1
);
return
finish_done
;
}
if
(
s
->
last_li
t
)
if
(
s
->
sym_nex
t
)
FLUSH_BLOCK
(
s
,
0
);
return
block_done
;
}
...
...
@@ -2157,7 +2191,7 @@ local block_state deflate_huff(s, flush)
FLUSH_BLOCK
(
s
,
1
);
return
finish_done
;
}
if
(
s
->
last_li
t
)
if
(
s
->
sym_nex
t
)
FLUSH_BLOCK
(
s
,
0
);
return
block_done
;
}
deflate.h
浏览文件 @
0e50af4c
...
...
@@ -217,7 +217,7 @@ typedef struct internal_state {
/* Depth of each subtree used as tie breaker for trees of equal frequency
*/
uchf
*
l_buf
;
/* buffer for literals or
lengths */
uchf
*
sym_buf
;
/* buffer for distances and literals/
lengths */
uInt
lit_bufsize
;
/* Size of match buffer for literals/lengths. There are 4 reasons for
...
...
@@ -239,13 +239,8 @@ typedef struct internal_state {
* - I can't count above 4
*/
uInt
last_lit
;
/* running index in l_buf */
ushf
*
d_buf
;
/* Buffer for distances. To simplify the code, d_buf and l_buf have
* the same number of elements. To use different lengths, an extra flag
* array would be necessary.
*/
uInt
sym_next
;
/* running index in sym_buf */
uInt
sym_end
;
/* symbol table full when sym_next reaches this */
ulg
opt_len
;
/* bit length of current block with optimal trees */
ulg
static_len
;
/* bit length of current block with static trees */
...
...
@@ -325,20 +320,22 @@ void ZLIB_INTERNAL _tr_stored_block OF((deflate_state *s, charf *buf,
# define _tr_tally_lit(s, c, flush) \
{ uch cc = (c); \
s->d_buf[s->last_lit] = 0; \
s->l_buf[s->last_lit++] = cc; \
s->sym_buf[s->sym_next++] = 0; \
s->sym_buf[s->sym_next++] = 0; \
s->sym_buf[s->sym_next++] = cc; \
s->dyn_ltree[cc].Freq++; \
flush = (s->
last_lit == s->lit_bufsize-1
); \
flush = (s->
sym_next == s->sym_end
); \
}
# define _tr_tally_dist(s, distance, length, flush) \
{ uch len = (uch)(length); \
ush dist = (ush)(distance); \
s->d_buf[s->last_lit] = dist; \
s->l_buf[s->last_lit++] = len; \
s->sym_buf[s->sym_next++] = dist; \
s->sym_buf[s->sym_next++] = dist >> 8; \
s->sym_buf[s->sym_next++] = len; \
dist--; \
s->dyn_ltree[_length_code[len]+LITERALS+1].Freq++; \
s->dyn_dtree[d_code(dist)].Freq++; \
flush = (s->
last_lit == s->lit_bufsize-1
); \
flush = (s->
sym_next == s->sym_end
); \
}
#else
# define _tr_tally_lit(s, c, flush) flush = _tr_tally(s, 0, c)
...
...
trees.c
浏览文件 @
0e50af4c
...
...
@@ -416,7 +416,7 @@ local void init_block(s)
s
->
dyn_ltree
[
END_BLOCK
].
Freq
=
1
;
s
->
opt_len
=
s
->
static_len
=
0L
;
s
->
last_li
t
=
s
->
matches
=
0
;
s
->
sym_nex
t
=
s
->
matches
=
0
;
}
#define SMALLEST 1
...
...
@@ -947,7 +947,7 @@ void ZLIB_INTERNAL _tr_flush_block(s, buf, stored_len, last)
Tracev
((
stderr
,
"
\n
opt %lu(%lu) stat %lu(%lu) stored %lu lit %u "
,
opt_lenb
,
s
->
opt_len
,
static_lenb
,
s
->
static_len
,
stored_len
,
s
->
last_lit
));
s
->
sym_next
/
3
));
if
(
static_lenb
<=
opt_lenb
)
opt_lenb
=
static_lenb
;
...
...
@@ -1016,8 +1016,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
unsigned
dist
;
/* distance of matched string */
unsigned
lc
;
/* match length-MIN_MATCH or unmatched char (if dist==0) */
{
s
->
d_buf
[
s
->
last_lit
]
=
(
ush
)
dist
;
s
->
l_buf
[
s
->
last_lit
++
]
=
(
uch
)
lc
;
s
->
sym_buf
[
s
->
sym_next
++
]
=
dist
;
s
->
sym_buf
[
s
->
sym_next
++
]
=
dist
>>
8
;
s
->
sym_buf
[
s
->
sym_next
++
]
=
lc
;
if
(
dist
==
0
)
{
/* lc is the unmatched char */
s
->
dyn_ltree
[
lc
].
Freq
++
;
...
...
@@ -1032,30 +1033,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
s
->
dyn_ltree
[
_length_code
[
lc
]
+
LITERALS
+
1
].
Freq
++
;
s
->
dyn_dtree
[
d_code
(
dist
)].
Freq
++
;
}
#ifdef TRUNCATE_BLOCK
/* Try to guess if it is profitable to stop the current block here */
if
((
s
->
last_lit
&
0x1fff
)
==
0
&&
s
->
level
>
2
)
{
/* Compute an upper bound for the compressed length */
ulg
out_length
=
(
ulg
)
s
->
last_lit
*
8L
;
ulg
in_length
=
(
ulg
)((
long
)
s
->
strstart
-
s
->
block_start
);
int
dcode
;
for
(
dcode
=
0
;
dcode
<
D_CODES
;
dcode
++
)
{
out_length
+=
(
ulg
)
s
->
dyn_dtree
[
dcode
].
Freq
*
(
5L
+
extra_dbits
[
dcode
]);
}
out_length
>>=
3
;
Tracev
((
stderr
,
"
\n
last_lit %u, in %ld, out ~%ld(%ld%%) "
,
s
->
last_lit
,
in_length
,
out_length
,
100L
-
out_length
*
100L
/
in_length
));
if
(
s
->
matches
<
s
->
last_lit
/
2
&&
out_length
<
in_length
/
2
)
return
1
;
}
#endif
return
(
s
->
last_lit
==
s
->
lit_bufsize
-
1
);
/* We avoid equality with lit_bufsize because of wraparound at 64K
* on 16 bit machines and because stored blocks are restricted to
* 64K-1 bytes.
*/
return
(
s
->
sym_next
==
s
->
sym_end
);
}
/* ===========================================================================
...
...
@@ -1068,13 +1046,14 @@ local void compress_block(s, ltree, dtree)
{
unsigned
dist
;
/* distance of matched string */
int
lc
;
/* match length or unmatched char (if dist == 0) */
unsigned
lx
=
0
;
/* running index in l
_buf */
unsigned
sx
=
0
;
/* running index in sym
_buf */
unsigned
code
;
/* the code to send */
int
extra
;
/* number of extra bits to send */
if
(
s
->
last_lit
!=
0
)
do
{
dist
=
s
->
d_buf
[
lx
];
lc
=
s
->
l_buf
[
lx
++
];
if
(
s
->
sym_next
!=
0
)
do
{
dist
=
s
->
sym_buf
[
sx
++
]
&
0xff
;
dist
+=
(
unsigned
)(
s
->
sym_buf
[
sx
++
]
&
0xff
)
<<
8
;
lc
=
s
->
sym_buf
[
sx
++
];
if
(
dist
==
0
)
{
send_code
(
s
,
lc
,
ltree
);
/* send a literal byte */
Tracecv
(
isgraph
(
lc
),
(
stderr
,
" '%c' "
,
lc
));
...
...
@@ -1099,11 +1078,10 @@ local void compress_block(s, ltree, dtree)
}
}
/* literal or match pair ? */
/* Check that the overlay between pending_buf and d_buf+l_buf is ok: */
Assert
((
uInt
)(
s
->
pending
)
<
s
->
lit_bufsize
+
2
*
lx
,
"pendingBuf overflow"
);
/* Check that the overlay between pending_buf and sym_buf is ok: */
Assert
(
s
->
pending
<
s
->
lit_bufsize
+
sx
,
"pendingBuf overflow"
);
}
while
(
lx
<
s
->
last_li
t
);
}
while
(
sx
<
s
->
sym_nex
t
);
send_code
(
s
,
END_BLOCK
,
ltree
);
}
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录