patch-CVE-2008-0888   [plain text]


diff -up inflate.c.pom inflate.c
--- inflate.c.pom	2005-02-27 07:08:46.000000000 +0100
+++ inflate.c	2008-03-19 14:47:58.000000000 +0100
@@ -983,6 +983,7 @@ static int inflate_dynamic(__G)
   unsigned l;           /* last length */
   unsigned m;           /* mask for bit lengths table */
   unsigned n;           /* number of lengths to get */
+  struct huft *tlp;
   struct huft *tl;      /* literal/length code table */
   struct huft *td;      /* distance code table */
   unsigned bl;          /* lookup bits for tl */
@@ -995,6 +996,7 @@ static int inflate_dynamic(__G)
   register unsigned k;  /* number of bits in bit buffer */
   int retval = 0;       /* error code returned: initialized to "no error" */
 
+  td = tlp = tl = (struct huft *)NULL;
 
   /* make local bit buffer */
   Trace((stderr, "\ndynamic block"));
@@ -1047,9 +1049,9 @@ static int inflate_dynamic(__G)
   while (i < n)
   {
     NEEDBITS(bl)
-    j = (td = tl + ((unsigned)b & m))->b;
+    j = (tlp = tl + ((unsigned)b & m))->b;
     DUMPBITS(j)
-    j = td->v.n;
+    j = tlp->v.n;
     if (j < 16)                 /* length of code in bits (0..15) */
       ll[i++] = l = j;          /* save last length in l */
     else if (j == 16)           /* repeat last length 3 to 6 times */
@@ -1149,8 +1151,8 @@ static int inflate_dynamic(__G)
 
 cleanup_and_exit:
   /* free the decoding tables, return */
-  huft_free(tl);
-  huft_free(td);
+  if (tl) huft_free(tl);
+  if (td) huft_free(td);
   return retval;
 }