===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/compress/zopen.c,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- src/usr.bin/compress/zopen.c	2005/06/26 18:20:26	1.16
+++ src/usr.bin/compress/zopen.c	2005/08/25 17:07:56	1.17
@@ -1,4 +1,4 @@
-/*	$OpenBSD: zopen.c,v 1.16 2005/06/26 18:20:26 otto Exp $	*/
+/*	$OpenBSD: zopen.c,v 1.17 2005/08/25 17:07:56 millert Exp $	*/
 /*	$NetBSD: zopen.c,v 1.5 1995/03/26 09:44:53 glass Exp $	*/
 
 /*-
@@ -40,7 +40,7 @@
 static char sccsid[] = "@(#)zopen.c	8.1 (Berkeley) 6/27/93";
 #else
 const char z_rcsid[] =
-	"$OpenBSD: zopen.c,v 1.16 2005/06/26 18:20:26 otto Exp $";
+	"$OpenBSD: zopen.c,v 1.17 2005/08/25 17:07:56 millert Exp $";
 #endif
 
 /*-
@@ -110,8 +110,8 @@
 	int zs_maxbits;			/* User settable max # bits/code. */
 	code_int zs_maxcode;		/* Maximum code, given n_bits. */
 	code_int zs_maxmaxcode;		/* Should NEVER generate this code. */
-	count_int zs_htab [HSIZE];
-	u_short zs_codetab [HSIZE];
+	count_int zs_htab[HSIZE];
+	u_short zs_codetab[HSIZE];
 	code_int zs_hsize;		/* For dynamic table sizing. */
 	code_int zs_free_ent;		/* First unused entry. */
 	/*
@@ -134,7 +134,7 @@
 			code_int zs_ent;
 			code_int zs_hsize_reg;
 			int zs_hshift;
-		} w;			/* Write paramenters */
+		} w;			/* Write parameters */
 		struct {
 			u_char *zs_stackp, *zs_ebp;
 			int zs_finchar;
@@ -557,6 +557,15 @@
 
 		/* Generate output characters in reverse order. */
 		while (zs->zs_code >= 256) {
+			/*
+			 * Bad input file may cause zs_stackp to overflow
+			 * zs_htab; check here and abort decompression,
+			 * that's better than dumping core.
+			 */
+			if (zs->zs_stackp >= (u_char *)&zs->zs_htab[HSIZE]) {
+				errno = EINVAL;
+				return (-1);
+			}
 			*zs->zs_stackp++ = tab_suffixof(zs->zs_code);
 			zs->zs_code = tab_prefixof(zs->zs_code);
 		}