Check for invalid code length codes in contrib/puff.

Without this fix, it would be possible to construct inputs to puff
that would cause it to segfault.

contrib/puff/puff.c

@@ -1,8 +1,8 @@
 /*
  * puff.c
- * Copyright (C) 2002-2010 Mark Adler
+ * Copyright (C) 2002-2013 Mark Adler
  * For conditions of distribution and use, see copyright notice in puff.h
- * version 2.2, 25 Apr 2010
+ * version 2.3, 21 Jan 2013
  *
  * puff.c is a simple inflate written to be an unambiguous way to specify the
  * deflate format.  It is not written for speed but rather simplicity.  As a
@@ -76,6 +76,7 @@
  *                      - Move NIL to puff.h
  *                      - Allow incomplete code only if single code length is 1
  *                      - Add full code coverage test to Makefile
+ * 2.3  21 Jan 2013     - Check for invalid code length codes in dynamic blocks
  */
 
 #include <setjmp.h>             /* for setjmp(), longjmp(), and jmp_buf */
@@ -704,6 +705,8 @@ local int dynamic(struct state *s)
         int len;                /* last length to repeat */
 
         symbol = decode(s, &lencode);
+        if (symbol < 0)
+            return symbol;          /* invalid symbol */
         if (symbol < 16)                /* length in 0..15 */
             lengths[index++] = symbol;
         else {                          /* repeat instruction */

contrib/puff/puff.h

@@ -1,6 +1,6 @@
 /* puff.h
-  Copyright (C) 2002-2010 Mark Adler, all rights reserved
-  version 2.2, 25 Apr 2010
+  Copyright (C) 2002-2013 Mark Adler, all rights reserved
+  version 2.3, 21 Jan 2013
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the author be held liable for any damages

contrib/puff/pufftest.c

@@ -1,8 +1,8 @@
 /*
  * pufftest.c
- * Copyright (C) 2002-2010 Mark Adler
+ * Copyright (C) 2002-2013 Mark Adler
  * For conditions of distribution and use, see copyright notice in puff.h
- * version 2.2, 25 Apr 2010
+ * version 2.3, 21 Jan 2013
  */
 
 /* Example of how to use puff().