search for: inflate_block

...releases. CERT and CERT-FI has been notified, no other reaction is necessary at this point. For further technical information, please see the technical explanation below. The problem works as follows: when a maliciously corrupted compressed data stream is decompressed, it can cause the function inflate_blocks() to enter a certain state and return FALSE. If called again in this state, this function can cause a heap corruption exploitable by the attacker. (More precisely, both the first and the second call will attempt to free the same pointer. This is layed out in more detail in the advisory.) We do...

...cated memory to be released more than once (i.e., "double-freed"). Specifically, when inftrees.c:huft_build() encounters the crafted data, it returns an unexpected Z_MEM_ERROR to inftrees.c:inflate_trees_dynamic(). When a subsequent call is made to infblock.c:inflate_blocks(), the inflate_blocks function tries to free an internal data structure a second time. Because this bug interferes with the proper allocation and deallocation of dynamic memory, it may be possible for an attacker to influence the operation of programs that include...

...0x8061823 in inflate_codes (s=0x807b040, z=0x80777c0, r=0) at zlib/infcodes.c:200 200 while (f < s->window) /* modulo window size-"while" instead */ (gdb) bt #0 0x8061823 in inflate_codes (s=0x807b040, z=0x80777c0, r=0) at zlib/infcodes.c:200 #1 0x806104c in inflate_blocks (s=0x807b040, z=0x80777c0, r=-5) at zlib/infblock.c:340 #2 0x806243b in inflate (z=0x80777c0, f=0) at zlib/inflate.c:221 #3 0x805852f in recv_deflated_token (f=0, data=0xbfbfe8dc) at token.c:412 #4 0x805872e in recv_token (f=0, data=0xbfbfe8dc) at token.c:506 #5 0x804bd38 in receive_data (f_in...