aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMark Adler <fork@madler.net>2022-07-30 22:51:11 +0000
committerEd Maste <emaste@FreeBSD.org>2022-08-05 02:30:20 +0000
commitdc3509f1aafcd966f3dd9226115cf94b691ff3c7 (patch)
treedfe06b2a31577bf3e0d7b92e84b3d349b4b3585a
parentc0665d5c82407a41591532ac75bc37a13d3314e6 (diff)
downloadsrc-dc3509f1aafcd966f3dd9226115cf94b691ff3c7.tar.gz
src-dc3509f1aafcd966f3dd9226115cf94b691ff3c7.zip
zlib: Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
-rw-r--r--sys/contrib/zlib/inflate.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c
index 499626d87a1c..345366eed406 100644
--- a/sys/contrib/zlib/inflate.c
+++ b/sys/contrib/zlib/inflate.c
@@ -763,9 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);