From nobody Tue Aug 30 23:15:36 2022 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHNT43ykDz4bXd4; Tue, 30 Aug 2022 23:15:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MHNT43Mv1z3p0J; Tue, 30 Aug 2022 23:15:36 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661901336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=twH6/1s7hYbXMTLm0aYbYNbLCvurbrzoVz/qZSpclos=; b=ZDeo0zxL+HnWs/tuWER8w+E4ZXU3RyTi5ureLY2IAET7DJmagpv2AWbHFoaIXmXUughUgu m63hgLw9XkjBpnU6Sou2iP+dJQjO3VD8ZoelibwOVN5h9yieDl5nmEgsSYzZASsW6dDBj9 bgoIz1PHwAcQBcULquZcKgRzuo8Hr+u8w4Y8GDdDorU3e/inLRWbVh1E7Je1kcEw7To9Js mEGl7l5gaFtXWvw3rkqTuRfJesGyrhlsfPVUifv/0TbGI7dIFlqpBdY6rZvmgNzNcez+Xf gXL4jzRDmQ7mQmEMpGChjXLYald8Nv9tXidSVdSuJhOtu4HrjSxC2GWyDXOKzg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MHNT42Rb5zwLy; Tue, 30 Aug 2022 23:15:36 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27UNFaHh061092; Tue, 30 Aug 2022 23:15:36 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27UNFagC061091; Tue, 30 Aug 2022 23:15:36 GMT (envelope-from git) Date: Tue, 30 Aug 2022 23:15:36 GMT Message-Id: <202208302315.27UNFagC061091@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 938108cf04f0 - releng/12.3 - zlib: Fix a bug when getting a gzip header extra field with inflate(). List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-all@freebsd.org X-BeenThere: dev-commits-src-all@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/12.3 X-Git-Reftype: branch X-Git-Commit: 938108cf04f0e222455c97f7ef038cbb0411a1e7 Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661901336; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=twH6/1s7hYbXMTLm0aYbYNbLCvurbrzoVz/qZSpclos=; b=XRLtjw8YjrJEwDv2APPqUtdjHDKZlgeOxbKDSNMRGTpEmSFG22Q78vGfwnEFmn7KcyLPqT jlKpr4TiOCThbNbdEZC0Mn/xsdPfUGPmXi5otBp15IDoAyubV5b7J32W9Oc6eAHAp1W2ar qJXT4gaCCb7mWTKIAvgMqYXYCqsVamRNYV3Lh23MxfKj8DRhvVceKJNQzv3ChvhCtZCTKR b+XmPO9eKhlR4QRTSQdb5UslHT33MJNBDMV+BWJRlqS4F2YX3oJhrespH/bTGwv8XKCznS 4f/QT96R24qFCI+w3UEDFZ68r4swwDMpXpnd5+sX7f6cCg3DXJcmm5rdy8BNmg== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661901336; a=rsa-sha256; cv=none; b=llHV8zjd9xjxk+Mkpa9dydiQPaUAA6A1UW4wTnoyzdz1kYsy8cddnD+cdT0Z4PHbtEcShd 3qRnJ4qP1pX33dCP0tO0IqtrfrQgoVM/MahU+Q3fOaczF4/H7uIlUwTjMHHRD2DfkStW6D X3CBdh5Pn4/XXAhClz4Qhw49rRi7OgFDBQVdrfVcEZOlS7rv0VIeOFRfUxLxeVhBJ6zU1n STgfkTLD2CTQe3XvSpZ1v0lgQQNjWnbdOXxKbjZNQeoLA32FissyAb3fzpPrxi7hG4tdyr XRrGn5gcsQQgdHQprdPRLZv0xqWSCMhS9mi9ePjQr75/GE7ef0qJn8EhnxMX3Q== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/12.3 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=938108cf04f0e222455c97f7ef038cbb0411a1e7 commit 938108cf04f0e222455c97f7ef038cbb0411a1e7 Author: Mark Adler AuthorDate: 2022-07-30 22:51:11 +0000 Commit: Ed Maste CommitDate: 2022-08-30 22:59:16 +0000 zlib: Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1) (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d) (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7) (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed) (cherry picked from commit 72bc320879944fecae59e903381c33ab4d5e443b) (cherry picked from commit bd8faba77f6f8eb344ab4f5b44536dab87b2b05c) Approved by: so Security: CVE-2022-37434 --- sys/contrib/zlib/inflate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c index ac333e8c2eda..cd018573dee8 100644 --- a/sys/contrib/zlib/inflate.c +++ b/sys/contrib/zlib/inflate.c @@ -759,8 +759,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy);