From nobody Tue Aug 09 14:43:49 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4M2G6F71SHz4Y39q;
	Tue,  9 Aug 2022 14:43:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4M2G6F5fzYz45rb;
	Tue,  9 Aug 2022 14:43:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1660056229;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ShXWgejsjP6qJui63BhnCiJrmxxE5aE8xg89O1BSzdQ=;
	b=eY0T4vt0X+yMNCLkzRXK340zj1hFHeaS7ScT6aY7VNt+ETqXM9hPNFAYB7oUy/RXEaAfV1
	+Z2pOiloXAiuApdOJq2jnAdjaCF11uP6pruq1lAHp5m8lIs5xI3t4FLApCSuwlTau+xKdO
	JRk+eW4TiuK2NK6Rb3fb+QctaEtzx/8ZUS17EuO9L7toDpwij1f5IKl95bpumXab5JBMYC
	05Yqu1xFT7NkRN1zmtq1uxs3V8nZstT4hU4Ijk1d790QW6DVNa97jTGktG6dULvQDz6kxs
	8l5hkC2iBV7a5Sov+pV4m1gXW2+GUOyVTF/gYWaxZIxu7gDtG9qohsbwc7Ajjg==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4M2G6F4jt0zb2B;
	Tue,  9 Aug 2022 14:43:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 279Ehnar098244;
	Tue, 9 Aug 2022 14:43:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 279Ehnwx098243;
	Tue, 9 Aug 2022 14:43:49 GMT
	(envelope-from git)
Date: Tue, 9 Aug 2022 14:43:49 GMT
Message-Id: <202208091443.279Ehnwx098243@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 10cc2bf5f7a5 - stable/13 - zlib: Fix a bug when getting a gzip header extra field with inflate().
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 10cc2bf5f7a592981ee00d22eb13e100beed1e64
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1660056229;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=ShXWgejsjP6qJui63BhnCiJrmxxE5aE8xg89O1BSzdQ=;
	b=USmBA5x6Q8Czy0nuTlZ+N9QSkbmuHz42xOFHXtoOyNUxcgf136Yr6u7pWqIhFoNsEQb4jA
	qdRh3e2gslmt9T4QbvxYxf+/sAzSy0a11GCor+2yAnwn53okz0/Cl4HUG3l2gD8UpPvC66
	DnPlo9v3TUh5G0hlTrz5p28l6/3fHmx7bxCuxdzsPQti7yKsrXTlPQZKJM8HzYBOlu+maS
	jrR9LaoGMdVy8uo8/++MQGJHLm/BZDwjLhTGjY1Xr9PRM/P+a0kOQiBtIJpCxQwr4DtIcW
	X9POTJ1rslSMDtztfwgsQ0DSs28L7clkFmbuKGhli6gqiRXQsux7Utr8cOOvrg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1660056229; a=rsa-sha256; cv=none;
	b=am/CWqOT3vjDp0av631WG54Sa+sdtbf1jEOyWH868hCKl0p1Xkt3MnvTBgaPm8qOsdFcxb
	Y6hLrEiAPCMn/V/oF8IQAmp6C6v9K5gTYcWRGpFQVuRJ50+K2HP+tCzbouJr2tXDFP7/ia
	nqBL68wirhc8B2r10dBS72KKqySAtYCvOqEvJGT+hcfGt69qVmW215b91uY/HaXI8bfTng
	YEZGlzdpjWNwBxZHZgmo1jrITgFYUYubOcgV8+pWntuXHvJM73YlmkqaPr01rl8sUyCxD4
	Vv5jMpoWZOHkY3iu0gu+gepGk+De01o5WZ/71cEa7AjBFO0pyDhMHf8DkFr5vQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=10cc2bf5f7a592981ee00d22eb13e100beed1e64

commit 10cc2bf5f7a592981ee00d22eb13e100beed1e64
Author:     Mark Adler <fork@madler.net>
AuthorDate: 2022-07-30 22:51:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-08-09 14:40:35 +0000

    zlib: Fix a bug when getting a gzip header extra field with inflate().
    
    If the extra field was larger than the space the user provided with
    inflateGetHeader(), and if multiple calls of inflate() delivered
    the extra header data, then there could be a buffer overflow of the
    provided space. This commit assures that provided space is not
    exceeded.
    
    (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
    (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d)
    
    (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7)
    (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed)
---
 sys/contrib/zlib/inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c
index 499626d87a1c..d4b4a0978656 100644
--- a/sys/contrib/zlib/inflate.c
+++ b/sys/contrib/zlib/inflate.c
@@ -764,8 +764,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);