]> git.pld-linux.org Git - packages/zlib.git/blob - CVE-2022-37434.patch
projects / packages / zlib.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
upstream fix for CVE-2022-37434; rel 4
[packages/zlib.git] / CVE-2022-37434.patch
1 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
2 From: Mark Adler <fork@madler.net>
3 Date: Sat, 30 Jul 2022 15:51:11 -0700
4 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
5  inflate().
6
7 If the extra field was larger than the space the user provided with
8 inflateGetHeader(), and if multiple calls of inflate() delivered
9 the extra header data, then there could be a buffer overflow of the
10 provided space. This commit assures that provided space is not
11 exceeded.
12 ---
13  inflate.c | 5 +++--
14  1 file changed, 3 insertions(+), 2 deletions(-)
15
16 diff --git a/inflate.c b/inflate.c
17 index 7be8c6366..7a7289749 100644
18 --- a/inflate.c
19 +++ b/inflate.c
20 @@ -763,9 +763,10 @@ int flush;
21                  copy = state->length;
22                  if (copy > have) copy = have;
23                  if (copy) {
24 +                    len = state->head->extra_len - state->length;
25                      if (state->head != Z_NULL &&
26 -                        state->head->extra != Z_NULL) {
27 -                        len = state->head->extra_len - state->length;
28 +                        state->head->extra != Z_NULL &&
29 +                        len < state->head->extra_max) {
30                          zmemcpy(state->head->extra + len, next,
31                                  len + copy > state->head->extra_max ?
32                                  state->head->extra_max - len : copy);
33 From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
34 From: Mark Adler <fork@madler.net>
35 Date: Mon, 8 Aug 2022 10:50:09 -0700
36 Subject: [PATCH] Fix extra field processing bug that dereferences NULL
37  state->head.
38
39 The recent commit to fix a gzip header extra field processing bug
40 introduced the new bug fixed here.
41 ---
42  inflate.c | 4 ++--
43  1 file changed, 2 insertions(+), 2 deletions(-)
44
45 diff --git a/inflate.c b/inflate.c
46 index 7a7289749..2a3c4fe98 100644
47 --- a/inflate.c
48 +++ b/inflate.c
49 @@ -763,10 +763,10 @@ int flush;
50                  copy = state->length;
51                  if (copy > have) copy = have;
52                  if (copy) {
53 -                    len = state->head->extra_len - state->length;
54                      if (state->head != Z_NULL &&
55                          state->head->extra != Z_NULL &&
56 -                        len < state->head->extra_max) {
57 +                        (len = state->head->extra_len - state->length) <
58 +                            state->head->extra_max) {
59                          zmemcpy(state->head->extra + len, next,
60                                  len + copy > state->head->extra_max ?
61                                  state->head->extra_max - len : copy);
Library for compression and decompression
This page took 0.06474 seconds and 3 git commands to generate.