d/freebsd-nq
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

zlib: Fix a bug when getting a gzip header extra field with inflate().

Browse Source 
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.

(cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
(cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d)

(cherry picked from commit dc3509f1aa)
(cherry picked from commit 2969066f73)
(cherry picked from commit 10cc2bf5f7)

Approved by:	so
Security:	CVE-2022-37434
This commit is contained in:
Mark Adler 2022-07-30 15:51:11 -07:00 committed by Ed Maste
parent 514a191356
commit 289231c963
1 changed files with 3 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
sys/contrib/zlib/inflate.c
View File

@ -764,8 +764,9 @@ int flush;
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
state->head->extra != Z_NULL) {
len = state->head->extra_len - state->length;
state->head->extra != Z_NULL &&
(len = state->head->extra_len - state->length) <
state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);