git: dc3509f1aafc - main - zlib: Fix a bug when getting a gzip header extra field with inflate().
Date: Fri, 05 Aug 2022 13:34:33 UTC
The branch main has been updated by emaste:
URL: https://cgit.FreeBSD.org/src/commit/?id=dc3509f1aafcd966f3dd9226115cf94b691ff3c7
commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7
Author: Mark Adler <fork@madler.net>
AuthorDate: 2022-07-30 22:51:11 +0000
Commit: Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-08-05 02:30:20 +0000
zlib: Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
(cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
---
sys/contrib/zlib/inflate.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c
index 499626d87a1c..345366eed406 100644
--- a/sys/contrib/zlib/inflate.c
+++ b/sys/contrib/zlib/inflate.c
@@ -763,9 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);