[packages/zlib.git] / CVE-2022-37434.patch

From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Sat, 30 Jul 2022 15:51:11 -0700
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
 inflate().

If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
---
 inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/inflate.c b/inflate.c
index 7be8c6366..7a7289749 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
+                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
 state->head.

The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
 inflate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inflate.c b/inflate.c
index 7a7289749..2a3c4fe98 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,10 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
-                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
                         state->head->extra != Z_NULL &&
-                        len < state->head->extra_max) {
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
Commit	Line	Data
39d59a8f JP	1	From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
	2	From: Mark Adler <fork@madler.net>
	3	Date: Sat, 30 Jul 2022 15:51:11 -0700
	4	Subject: [PATCH] Fix a bug when getting a gzip header extra field with
	5	inflate().
	6
	7	If the extra field was larger than the space the user provided with
	8	inflateGetHeader(), and if multiple calls of inflate() delivered
	9	the extra header data, then there could be a buffer overflow of the
	10	provided space. This commit assures that provided space is not
	11	exceeded.
	12	---
	13	inflate.c \| 5 +++--
	14	1 file changed, 3 insertions(+), 2 deletions(-)
	15
	16	diff --git a/inflate.c b/inflate.c
	17	index 7be8c6366..7a7289749 100644
	18	--- a/inflate.c
	19	+++ b/inflate.c
	20	@@ -763,9 +763,10 @@ int flush;
	21	copy = state->length;
	22	if (copy > have) copy = have;
	23	if (copy) {
	24	+ len = state->head->extra_len - state->length;
	25	if (state->head != Z_NULL &&
	26	- state->head->extra != Z_NULL) {
	27	- len = state->head->extra_len - state->length;
	28	+ state->head->extra != Z_NULL &&
	29	+ len < state->head->extra_max) {
	30	zmemcpy(state->head->extra + len, next,
	31	len + copy > state->head->extra_max ?
	32	state->head->extra_max - len : copy);
	33	From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
	34	From: Mark Adler <fork@madler.net>
	35	Date: Mon, 8 Aug 2022 10:50:09 -0700
	36	Subject: [PATCH] Fix extra field processing bug that dereferences NULL
	37	state->head.
	38
	39	The recent commit to fix a gzip header extra field processing bug
	40	introduced the new bug fixed here.
	41	---
	42	inflate.c \| 4 ++--
	43	1 file changed, 2 insertions(+), 2 deletions(-)
	44
	45	diff --git a/inflate.c b/inflate.c
	46	index 7a7289749..2a3c4fe98 100644
	47	--- a/inflate.c
	48	+++ b/inflate.c
	49	@@ -763,10 +763,10 @@ int flush;
	50	copy = state->length;
	51	if (copy > have) copy = have;
	52	if (copy) {
	53	- len = state->head->extra_len - state->length;
	54	if (state->head != Z_NULL &&
	55	state->head->extra != Z_NULL &&
	56	- len < state->head->extra_max) {
	57	+ (len = state->head->extra_len - state->length) <
	58	+ state->head->extra_max) {
	59	zmemcpy(state->head->extra + len, next,
	60	len + copy > state->head->extra_max ?
	61	state->head->extra_max - len : copy);