> The only code that could be bitten by this change is ppp, so I changed
> that as well. Paulus, could you have a quick look at it?
As Bart pointed out, there is a bug in zlib for window_size == 256.
Here is James Carlson's description of the problem:
The problem is that s->strstart gets set to a very large
positive integer when wsize (local copy of s->w_size) is
subtracted in deflate.c:fill_window(). This happens because
MAX_DIST(s) resolves as a negative number when the window size
is 8 -- MAX_DIST(s) is defined as s->w_size-MIN_LOOKAHEAD in
deflate.h. MIN_LOOKAHEAD is MAX_MATCH+MIN_MATCH+1, and that
is 258+3+1 or 262. Since a window size of 8 gives s->w_size
256, MAX_DIST(s) is 256-262 or -6.
This results in read_buf() writing over memory outside of
s->window, and a crash.
Your change won't affect PPP, since pppd already refuses to use
windowBits == 8 (as a workaround for this bug).
Regards,
Paul.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/