From nobody Tue Aug 09 14:44:22 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2G6t6r8vz4Y39t; Tue, 9 Aug 2022 14:44:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4M2G6t6HzFz46R1; Tue, 9 Aug 2022 14:44:22 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660056262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=py86bOVJ0GMnowWSvgc35Tn25GKPT9EVfd7dygqS7q8=; b=QTQ6EwOa/LnKygiYhaGBHPun7Cj2R6svBk6DMhsgSEPy/wJyhtCzQdu1KKgQ+ccrEdd7PJ 2bmHPVcyy9djv4BtARgALrVUZ3nLJo32jASbnViE9k0n6u/KZHpiRjpQlZadPI5yRJJE8V mm98lRQ6elnFLvfIboj7abbO9U9bx3l6vnz1tOc61Bm/3H4RrgYQoqaUL4RlxdTAe1MOE+ pQc+W3Q88BNqTyGKJ6fMEfoqnztainsrVnoEYs5UH9ZX5KQ+AcwIle9tIksSLjepHBv58x uqO2y39km0wgQNN28JsXBKcVP7AR5C5ZEFKbKgnMXsZ2xn/8QMOvGpYBSmD+eA== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M2G6t5LLFzbXM; Tue, 9 Aug 2022 14:44:22 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 279EiMFY098411; Tue, 9 Aug 2022 14:44:22 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 279EiMHp098410; Tue, 9 Aug 2022 14:44:22 GMT (envelope-from git) Date: Tue, 9 Aug 2022 14:44:22 GMT Message-Id: <202208091444.279EiMHp098410@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: bd8faba77f6f - stable/12 - zlib: Fix a bug when getting a gzip header extra field with inflate(). List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/stable/12 X-Git-Reftype: branch X-Git-Commit: bd8faba77f6f8eb344ab4f5b44536dab87b2b05c Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1660056262; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=py86bOVJ0GMnowWSvgc35Tn25GKPT9EVfd7dygqS7q8=; b=VfufSstRDIUyHXZV6mE8q9eoDCTRsATyQwN9sDDBayIVY488gTyfAvQOA43NFCR2ni69Dp FQNYJJyXaLsTjLDbOzevvVg15mTHF6fek5j0q/rEtHTJ17wisBdbTfIUPko5BwW5R5aYRn GsdXqctfVkN3v7jvV+WceeOD/m1KsBwWsA+N0QcJABx9QBBVJ05o/oeryZ8P+EWn4cbBvz ENgbhfAX18/KkPJAedqku0CrkATAiRUG46EyKF6g7hcnTYWLkXwr2cJuFDG1o6RXfXYO0h 5cDv6zLPXs1JqSTzMAw0zWDZYGV1g7e2Sp06HmoceGmEMlwIZIC85wGZHvApZA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660056262; a=rsa-sha256; cv=none; b=i5kG00z8ZelCERrvL6bkTmbB1b7e2/1GE+V3rqygmsJorP+9TdXKQNej82ms0Jb1PDFv3/ FS5OoSciiSKOq5temIhMTPVV/MCINiJTUFLUnqvhXJHFPnGW4YJL8H9l3LNzAgY7Rb2tgp msmqJFeKmXNK+VCcC9QX0R/HxuvT2RaJ4Bm+WcTd8zZLJuz/oOOie3b20bSaINdvKm0Xw4 oBZem1Qsm8aVNbgvsVcMZV8TZKFqDs4P8IcmtfoCooKdbS8tDqy5o5xpWl4yO29MGHSpQ3 9S8zr5tajd5VxEWc38njwFyHmdEMhMdZHL8vxPweisVVFnLsMfqEnZsYK4HzVg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch stable/12 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=bd8faba77f6f8eb344ab4f5b44536dab87b2b05c commit bd8faba77f6f8eb344ab4f5b44536dab87b2b05c Author: Mark Adler AuthorDate: 2022-07-30 22:51:11 +0000 Commit: Ed Maste CommitDate: 2022-08-09 14:44:08 +0000 zlib: Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1) (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d) (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7) (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed) (cherry picked from commit 72bc320879944fecae59e903381c33ab4d5e443b) --- sys/contrib/zlib/inflate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c index 499626d87a1c..d4b4a0978656 100644 --- a/sys/contrib/zlib/inflate.c +++ b/sys/contrib/zlib/inflate.c @@ -764,8 +764,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy);