Tree - rpms/zlib - CentOS Git server

rpms / zlib

Files

Commit: 9f74df28a1a91b715489e87b8a34b596cb4ee5b6

Blob Blame History Raw

 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
 inflate().
 
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
 inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)
 
diff --git a/inflate.c b/inflate.c
index 7be8c63..7a72897 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
+                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
-- 
2.35.3

	From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
	From: Mark Adler <fork@madler.net>
	Date: Sat, 30 Jul 2022 15:51:11 -0700
	Subject: [PATCH] Fix a bug when getting a gzip header extra field with
	inflate().

	If the extra field was larger than the space the user provided with
	inflateGetHeader(), and if multiple calls of inflate() delivered
	the extra header data, then there could be a buffer overflow of the
	provided space. This commit assures that provided space is not
	exceeded.
	---
	inflate.c \| 5 +++--
	1 file changed, 3 insertions(+), 2 deletions(-)

	diff --git a/inflate.c b/inflate.c
	index 7be8c63..7a72897 100644
	--- a/inflate.c
	+++ b/inflate.c
	@@ -763,9 +763,10 @@ int flush;
	copy = state->length;
	if (copy > have) copy = have;
	if (copy) {
	+ len = state->head->extra_len - state->length;
	if (state->head != Z_NULL &&
	- state->head->extra != Z_NULL) {
	- len = state->head->extra_len - state->length;
	+ state->head->extra != Z_NULL &&
	+ len < state->head->extra_max) {
	zmemcpy(state->head->extra + len, next,
	len + copy > state->head->extra_max ?
	state->head->extra_max - len : copy);
	--
	2.35.3

rpms / zlib

Source Code

Files