7f86b9
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
7f86b9
From: Mark Adler <fork@madler.net>
7f86b9
Date: Sat, 30 Jul 2022 15:51:11 -0700
7f86b9
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
7f86b9
 inflate().
7f86b9
7f86b9
If the extra field was larger than the space the user provided with
7f86b9
inflateGetHeader(), and if multiple calls of inflate() delivered
7f86b9
the extra header data, then there could be a buffer overflow of the
7f86b9
provided space. This commit assures that provided space is not
7f86b9
exceeded.
7f86b9
---
7f86b9
 inflate.c | 5 +++--
7f86b9
 1 file changed, 3 insertions(+), 2 deletions(-)
7f86b9
7f86b9
diff --git a/inflate.c b/inflate.c
7f86b9
index 7be8c63..7a72897 100644
7f86b9
--- a/inflate.c
7f86b9
+++ b/inflate.c
7f86b9
@@ -763,9 +763,10 @@ int flush;
7f86b9
                 copy = state->length;
7f86b9
                 if (copy > have) copy = have;
7f86b9
                 if (copy) {
7f86b9
+                    len = state->head->extra_len - state->length;
7f86b9
                     if (state->head != Z_NULL &&
7f86b9
-                        state->head->extra != Z_NULL) {
7f86b9
-                        len = state->head->extra_len - state->length;
7f86b9
+                        state->head->extra != Z_NULL &&
7f86b9
+                        len < state->head->extra_max) {
7f86b9
                         zmemcpy(state->head->extra + len, next,
7f86b9
                                 len + copy > state->head->extra_max ?
7f86b9
                                 state->head->extra_max - len : copy);
7f86b9
-- 
7f86b9
2.35.3
7f86b9