Assure that inflatePrime() can't shift a 32-bit integer by 32 bits.

The inflate() functions never leave state->bits greater than 24, so
an inflatePrime() call could not cause this. The only way this
could have happened would be by using inflatePrime() to fill the
bit buffer with 32 bits, and then calling inflatePrime() a *second*
time asking to insert zero bits, for some reason. This commit
assures that a shift by 32 bits does not occur even in that case.

diff --git a/inflate.c b/inflate.c
index df4c56a168d1805a813bf85377c5a4e4bf04d8a2..0cbed041d71156915d53ca3b53c3e6cf05e2026f 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -190,6 +190,8 @@ int32_t Z_EXPORT PREFIX(inflatePrime)(PREFIX3(stream) *strm, int32_t bits, int32
 
     if (inflateStateCheck(strm))
         return Z_STREAM_ERROR;
+    if (bits == 0)
+        return Z_OK;
     INFLATE_PRIME_HOOK(strm, bits, value);  /* hook for IBM Z DFLTCC */
     state = (struct inflate_state *)strm->state;
     if (bits < 0) {