| 1234567891011121314151617181920212223242526272829303132 |
- From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
- From: Mark Adler <fork@madler.net>
- Date: Sat, 30 Jul 2022 15:51:11 -0700
- Subject: [PATCH] Fix a bug when getting a gzip header extra field with
- inflate().
- If the extra field was larger than the space the user provided with
- inflateGetHeader(), and if multiple calls of inflate() delivered
- the extra header data, then there could be a buffer overflow of the
- provided space. This commit assures that provided space is not
- exceeded.
- (Ref: https://github.com/madler/zlib/commit/eff308af4)
- ---
- inflate.c | 5 +++--
- 1 file changed, 3 insertions(+), 2 deletions(-)
- --- zlib-1.2.11.dfsg.orig/inflate.c
- +++ zlib-1.2.11.dfsg/inflate.c
- @@ -758,9 +758,10 @@ int flush;
- copy = state->length;
- if (copy > have) copy = have;
- if (copy) {
- + len = state->head->extra_len - state->length;
- if (state->head != Z_NULL &&
- - state->head->extra != Z_NULL) {
- - len = state->head->extra_len - state->length;
- + state->head->extra != Z_NULL &&
- + len < state->head->extra_max) {
- zmemcpy(state->head->extra + len, next,
- len + copy > state->head->extra_max ?
- state->head->extra_max - len : copy);
|
