1 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
2 From: Mark Adler <fork@madler.net>
3 Date: Sat, 30 Jul 2022 15:51:11 -0700
4 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
7 If the extra field was larger than the space the user provided with
8 inflateGetHeader(), and if multiple calls of inflate() delivered
9 the extra header data, then there could be a buffer overflow of the
10 provided space. This commit assures that provided space is not
14 1 file changed, 3 insertions(+), 2 deletions(-)
16 diff --git a/inflate.c b/inflate.c
17 index 7be8c6366..7a7289749 100644
20 @@ -763,9 +763,10 @@ int flush;
22 if (copy > have) copy = have;
24 + len = state->head->extra_len - state->length;
25 if (state->head != Z_NULL &&
26 - state->head->extra != Z_NULL) {
27 - len = state->head->extra_len - state->length;
28 + state->head->extra != Z_NULL &&
29 + len < state->head->extra_max) {
30 zmemcpy(state->head->extra + len, next,
31 len + copy > state->head->extra_max ?
32 state->head->extra_max - len : copy);
33 From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
34 From: Mark Adler <fork@madler.net>
35 Date: Mon, 8 Aug 2022 10:50:09 -0700
36 Subject: [PATCH] Fix extra field processing bug that dereferences NULL
39 The recent commit to fix a gzip header extra field processing bug
40 introduced the new bug fixed here.
43 1 file changed, 2 insertions(+), 2 deletions(-)
45 diff --git a/inflate.c b/inflate.c
46 index 7a7289749..2a3c4fe98 100644
49 @@ -763,10 +763,10 @@ int flush;
51 if (copy > have) copy = have;
53 - len = state->head->extra_len - state->length;
54 if (state->head != Z_NULL &&
55 state->head->extra != Z_NULL &&
56 - len < state->head->extra_max) {
57 + (len = state->head->extra_len - state->length) <
58 + state->head->extra_max) {
59 zmemcpy(state->head->extra + len, next,
60 len + copy > state->head->extra_max ?
61 state->head->extra_max - len : copy);