[people/pmueller/ipfire-2.x.git] / src / patches / zlib-CVE-2022-37434.patch

commit eff308af425b67093bab25f80f1ae950166bece1
Author: Mark Adler <fork@madler.net>
Date:   Sat Jul 30 15:51:11 2022 -0700

    Fix a bug when getting a gzip header extra field with inflate().
    
    If the extra field was larger than the space the user provided with
    inflateGetHeader(), and if multiple calls of inflate() delivered
    the extra header data, then there could be a buffer overflow of the
    provided space. This commit assures that provided space is not
    exceeded.

diff --git a/inflate.c b/inflate.c
index 7be8c63..7a72897 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
                 copy = state->length;
                 if (copy > have) copy = have;
                 if (copy) {
+                    len = state->head->extra_len - state->length;
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
Commit	Line	Data
30f0ea19 PM	1	commit eff308af425b67093bab25f80f1ae950166bece1
	2	Author: Mark Adler <fork@madler.net>
	3	Date: Sat Jul 30 15:51:11 2022 -0700
	4
	5	Fix a bug when getting a gzip header extra field with inflate().
	6
	7	If the extra field was larger than the space the user provided with
	8	inflateGetHeader(), and if multiple calls of inflate() delivered
	9	the extra header data, then there could be a buffer overflow of the
	10	provided space. This commit assures that provided space is not
	11	exceeded.
	12
	13	diff --git a/inflate.c b/inflate.c
	14	index 7be8c63..7a72897 100644
	15	--- a/inflate.c
	16	+++ b/inflate.c
	17	@@ -763,9 +763,10 @@ int flush;
	18	copy = state->length;
	19	if (copy > have) copy = have;
	20	if (copy) {
	21	+ len = state->head->extra_len - state->length;
	22	if (state->head != Z_NULL &&
	23	- state->head->extra != Z_NULL) {
	24	- len = state->head->extra_len - state->length;
	25	+ state->head->extra != Z_NULL &&
	26	+ len < state->head->extra_max) {
	27	zmemcpy(state->head->extra + len, next,
	28	len + copy > state->head->extra_max ?
	29	state->head->extra_max - len : copy);