Index: compress.1
--- compress.1.orig	1992-08-31 16:46:53 +0200
+++ compress.1	2006-08-12 14:09:31 +0200
@@ -1,7 +1,7 @@
 .PU
 .TH COMPRESS 1 local
 .SH NAME
-compress, uncompress, zcat \- compress and expand data (version 4.1)
+compress, uncompress \- compress and expand data (version 4.2)
 .SH SYNOPSIS
 .ll +8
 .B compress
@@ -36,12 +36,6 @@
 .I "name \&..."
 ]
 .br
-.B zcat
-[
-.B \-V
-] [
-.I "name \&..."
-]
 .SH DESCRIPTION
 .I Compress
 reduces the size of the named files using adaptive Lempel-Ziv coding.
@@ -68,9 +62,7 @@
 the user is prompted as to whether an existing file should be overwritten.
 .PP
 Compressed files can be restored to their original form using
-.I uncompress
-or
-.I zcat.
+.I uncompress.
 .PP
 .I uncompress
 takes a list of files on its command line and replaces each
@@ -88,19 +80,6 @@
 .I compress/uncompress
 write to the standard output; no files are changed.
 .PP
-.I zcat
-is identical to
-.I uncompress
-.B \-c.
-.I zcat
-uncompresses either a list of files on the command line or its
-standard input and writes the uncompressed data on standard output.
-.I zcat
-will uncompress files that have the correct magic number whether
-they have a
-.B "\&.Z"
-suffix or not.
-.PP
 If the
 .B \-r
 flag is specified, 
@@ -175,13 +154,13 @@
 option,
 a message is printed yielding the percentage of
 reduction for each file compressed.
-.PP
-Exit status is normally 0;
-if the last file is larger after (attempted) compression, the status is 2;
-if an error occurs, exit status is 1.
 .SH "SEE ALSO"
 pack(1), compact(1)
 .SH "DIAGNOSTICS"
+Exit status is normally 0;
+if the last file is larger after (attempted) compression, the status is 2;
+if an error occurs, exit status is 1.
+.PP
 Usage: compress [\-dfvcVr] [\-b maxbits] [file ...]
 .in +8
 Invalid options were specified on the command line.
@@ -272,13 +251,14 @@
 a small process data space (64KB or less, as exhibited by the DEC PDP
 series, the Intel 80286, etc.)
 .PP
-Invoking compress with a \-r
+Invoking compress with a 
+.BR \-r
 flag will occasionally cause it to produce spurious error warnings of the form
 .PP
 .in 8
 "<filename>.Z already has .Z suffix - ignored"
 .in -8
 .PP
-These warnings can be ignored. See the comments in compress.c:compdir()
-for an explanation.
+These warnings can be ignored. See the comments in compress42.c:compdir()
+in the source distribution for an explanation.
 
Index: compress42.c
--- compress42.c.orig	1992-10-28 12:10:53 +0100
+++ compress42.c	2006-08-12 14:10:40 +0200
@@ -131,6 +131,8 @@
  *
  */
 #include	<stdio.h>
+#include	<stdlib.h>
+#include	<string.h>
 #include	<fcntl.h>
 #include	<ctype.h>
 #include	<signal.h>
@@ -230,6 +232,8 @@
 
 #define INIT_BITS 9			/* initial number of bits/code */
 
+#define MIN_MAXBITS 10		/* min value for -b maxbits (smaller causes corruption) */
+
 #ifndef SACREDMEM
 	/*
  	 * SACREDMEM is the amount of physical memory saved for others; compress
@@ -638,13 +642,13 @@
 	} ;
 #endif
 
-void  	main			ARGS((int,char **));
+int   	main			ARGS((int,char **));
 void  	Usage			ARGS((void));
 void  	comprexx		ARGS((char **));
 void  	compdir			ARGS((char *));
 void  	compress		ARGS((int,int));
 void  	decompress		ARGS((int,int));
-char  	*rindex			ARGS((char *,int));
+char  	*my_rindex			ARGS((char *,int));
 void  	read_error		ARGS((void));
 void  	write_error		ARGS((void));
 void 	abort_compress	ARGS((void));
@@ -691,7 +695,7 @@
  *   deterministic, and can be done on the fly.  Thus, the decompression
  *   procedure needs no input table, but tracks the way the table was built.
  */ 
-void
+int
 main(argc, argv)
 	REG1	int 	 argc;
 	REG2	char	*argv[];
@@ -714,7 +718,7 @@
     	filelist = fileptr = (char **)malloc(argc*sizeof(char *));
     	*filelist = NULL;
 
-    	if((progname = rindex(argv[0], '/')) != 0)
+    	if((progname = my_rindex(argv[0], '/')) != 0)
 			progname++;
 		else
 			progname = argv[0];
@@ -819,7 +823,7 @@
 nextarg:	continue;
     	}
 
-    	if (maxbits < INIT_BITS)	maxbits = INIT_BITS;
+    	if (maxbits < MIN_MAXBITS)	maxbits = MIN_MAXBITS;
     	if (maxbits > BITS) 		maxbits = BITS;
 
     	if (*filelist != NULL)
@@ -883,6 +887,10 @@
 		int		fdout;
 		char	tempname[MAXPATHLEN];
 
+		if (strlen(*fileptr) > (MAXPATHLEN - 1)) {
+			fprintf(stderr, "Pathname too long: %s\n", *fileptr);
+			return;
+		}
 		strcpy(tempname,*fileptr);
 		errno = 0;
 
@@ -1737,7 +1745,7 @@
 		    		code = oldcode;
 				}
 
-				while ((cmp_code_int)code >= (cmp_code_int)256)
+				while ((cmp_code_int)code >= (cmp_code_int)256 && stackp > (char_type *)&htabof(0) /* CVE-2006-1168 */)
 				{ /* Generate output characters in reverse order */
 			    	*--stackp = tab_suffixof(code);
 			    	code = tab_prefixof(code);
@@ -1799,7 +1807,7 @@
 	}
 
 char *
-rindex(s, c)		/* For those who don't have it in libc.a */
+my_rindex(s, c)		/* For those who don't have it in libc.a */
 	REG1 char	*s;
 	REG2 int	 c;
 	{