]>
Commit | Line | Data |
---|---|---|
39d59a8f JP |
1 | From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 |
2 | From: Mark Adler <fork@madler.net> | |
3 | Date: Sat, 30 Jul 2022 15:51:11 -0700 | |
4 | Subject: [PATCH] Fix a bug when getting a gzip header extra field with | |
5 | inflate(). | |
6 | ||
7 | If the extra field was larger than the space the user provided with | |
8 | inflateGetHeader(), and if multiple calls of inflate() delivered | |
9 | the extra header data, then there could be a buffer overflow of the | |
10 | provided space. This commit assures that provided space is not | |
11 | exceeded. | |
12 | --- | |
13 | inflate.c | 5 +++-- | |
14 | 1 file changed, 3 insertions(+), 2 deletions(-) | |
15 | ||
16 | diff --git a/inflate.c b/inflate.c | |
17 | index 7be8c6366..7a7289749 100644 | |
18 | --- a/inflate.c | |
19 | +++ b/inflate.c | |
20 | @@ -763,9 +763,10 @@ int flush; | |
21 | copy = state->length; | |
22 | if (copy > have) copy = have; | |
23 | if (copy) { | |
24 | + len = state->head->extra_len - state->length; | |
25 | if (state->head != Z_NULL && | |
26 | - state->head->extra != Z_NULL) { | |
27 | - len = state->head->extra_len - state->length; | |
28 | + state->head->extra != Z_NULL && | |
29 | + len < state->head->extra_max) { | |
30 | zmemcpy(state->head->extra + len, next, | |
31 | len + copy > state->head->extra_max ? | |
32 | state->head->extra_max - len : copy); | |
33 | From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 | |
34 | From: Mark Adler <fork@madler.net> | |
35 | Date: Mon, 8 Aug 2022 10:50:09 -0700 | |
36 | Subject: [PATCH] Fix extra field processing bug that dereferences NULL | |
37 | state->head. | |
38 | ||
39 | The recent commit to fix a gzip header extra field processing bug | |
40 | introduced the new bug fixed here. | |
41 | --- | |
42 | inflate.c | 4 ++-- | |
43 | 1 file changed, 2 insertions(+), 2 deletions(-) | |
44 | ||
45 | diff --git a/inflate.c b/inflate.c | |
46 | index 7a7289749..2a3c4fe98 100644 | |
47 | --- a/inflate.c | |
48 | +++ b/inflate.c | |
49 | @@ -763,10 +763,10 @@ int flush; | |
50 | copy = state->length; | |
51 | if (copy > have) copy = have; | |
52 | if (copy) { | |
53 | - len = state->head->extra_len - state->length; | |
54 | if (state->head != Z_NULL && | |
55 | state->head->extra != Z_NULL && | |
56 | - len < state->head->extra_max) { | |
57 | + (len = state->head->extra_len - state->length) < | |
58 | + state->head->extra_max) { | |
59 | zmemcpy(state->head->extra + len, next, | |
60 | len + copy > state->head->extra_max ? | |
61 | state->head->extra_max - len : copy); |