oss-sec mailing list archives

Re: LZW decompression issues

From: Solar Designer <solar () openwall com>
Date: Thu, 29 Sep 2011 04:41:53 +0400

Tomas -

On Wed, Sep 28, 2011 at 08:22:28PM +0200, Tomas Hoger wrote:

Let me try to explain some.


Thank you!  This is very helpful.

Do we possibly want to add the "maxbits < 12" check as well?  And does
it matter for security?


I'm not aware of any security impact of that.  Not sure if there's any
spec that requires maxbits >= 12, if not, INIT_BITS (9) may be a safer
lower bound.


I am asking Joerg about it in another message.

Colin - thank you for your prompt response (redirecting us to NetBSD).
Some further postings went without CC to you, I hope that's OK.

Alexander

Current thread:

LZW decompression issues Tomas Hoger (Aug 10)
- Re: LZW decompression issues Solar Designer (Sep 28)
  - Re: LZW decompression issues Solar Designer (Sep 28)
  - Re: LZW decompression issues Colin Percival (Sep 28)
  - Re: LZW decompression issues Tomas Hoger (Sep 28)
    - Re: LZW decompression issues Solar Designer (Sep 28)
  - Re: LZW decompression issues Tavis Ormandy (Sep 28)
    - Re: LZW decompression issues Solar Designer (Sep 28)
    - Re: LZW decompression issues Tomas Hoger (Sep 29)
    - Re: LZW decompression issues Tim Zingelman (Sep 29)
    - Re: LZW decompression issues Joerg Sonnenberger (Sep 29)
    - Re: LZW decompression issues Solar Designer (Sep 29)
    - Re: LZW decompression issues Tavis Ormandy (Sep 29)
- Re: LZW decompression issues Florian Weimer (Sep 28)