]>
Commit | Line | Data |
---|---|---|
30f0ea19 PM |
1 | commit eff308af425b67093bab25f80f1ae950166bece1 |
2 | Author: Mark Adler <fork@madler.net> | |
3 | Date: Sat Jul 30 15:51:11 2022 -0700 | |
4 | ||
5 | Fix a bug when getting a gzip header extra field with inflate(). | |
6 | ||
7 | If the extra field was larger than the space the user provided with | |
8 | inflateGetHeader(), and if multiple calls of inflate() delivered | |
9 | the extra header data, then there could be a buffer overflow of the | |
10 | provided space. This commit assures that provided space is not | |
11 | exceeded. | |
12 | ||
13 | diff --git a/inflate.c b/inflate.c | |
14 | index 7be8c63..7a72897 100644 | |
15 | --- a/inflate.c | |
16 | +++ b/inflate.c | |
17 | @@ -763,9 +763,10 @@ int flush; | |
18 | copy = state->length; | |
19 | if (copy > have) copy = have; | |
20 | if (copy) { | |
21 | + len = state->head->extra_len - state->length; | |
22 | if (state->head != Z_NULL && | |
23 | - state->head->extra != Z_NULL) { | |
24 | - len = state->head->extra_len - state->length; | |
25 | + state->head->extra != Z_NULL && | |
26 | + len < state->head->extra_max) { | |
27 | zmemcpy(state->head->extra + len, next, | |
28 | len + copy > state->head->extra_max ? | |
29 | state->head->extra_max - len : copy); |