If the extra field was larger than the space the user provided with

inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.

See #1323.

diff --git a/inflate.c b/inflate.c
index 5a774fa0847225a13eb44b52409fa0cd36e14d30..3990eb3d91f00c2c43db5ee55c733493dad76d4b 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -509,9 +509,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                 if (copy) {
                     if (state->head != NULL && state->head->extra != NULL) {
                         len = state->head->extra_len - state->length;
-                        memcpy(state->head->extra + len, next,
-                                len + copy > state->head->extra_max ?
-                                state->head->extra_max - len : copy);
+                        if (len < state->head->extra_max) {
+                            memcpy(state->head->extra + len, next,
+                                    len + copy > state->head->extra_max ?
+                                    state->head->extra_max - len : copy);
+                        }
                     }
                     if ((state->flags & 0x0200) && (state->wrap & 4))
                         state->check = PREFIX(crc32)(state->check, next, copy);