adenilson / rpms / zlib

Forked from rpms/zlib 9 months ago
Clone
35811d
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
35811d
From: Mark Adler <fork@madler.net>
35811d
Date: Sat, 30 Jul 2022 15:51:11 -0700
35811d
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
35811d
 inflate().
35811d
35811d
If the extra field was larger than the space the user provided with
35811d
inflateGetHeader(), and if multiple calls of inflate() delivered
35811d
the extra header data, then there could be a buffer overflow of the
35811d
provided space. This commit assures that provided space is not
35811d
exceeded.
35811d
---
35811d
 inflate.c | 5 +++--
35811d
 1 file changed, 3 insertions(+), 2 deletions(-)
35811d
35811d
diff --git a/inflate.c b/inflate.c
35811d
index 7be8c63..7a72897 100644
35811d
--- a/inflate.c
35811d
+++ b/inflate.c
35811d
@@ -763,9 +763,10 @@ int flush;
35811d
                 copy = state->length;
35811d
                 if (copy > have) copy = have;
35811d
                 if (copy) {
35811d
+                    len = state->head->extra_len - state->length;
35811d
                     if (state->head != Z_NULL &&
35811d
-                        state->head->extra != Z_NULL) {
35811d
-                        len = state->head->extra_len - state->length;
35811d
+                        state->head->extra != Z_NULL &&
35811d
+                        len < state->head->extra_max) {
35811d
                         zmemcpy(state->head->extra + len, next,
35811d
                                 len + copy > state->head->extra_max ?
35811d
                                 state->head->extra_max - len : copy);
35811d
-- 
35811d
2.35.3
35811d