From 045a278d86ffaeb455682618e2bc208059b72f5d Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Fri, 17 Feb 2023 00:06:32 -0800 Subject: [PATCH] Assure that inflatePrime() can't shift a 32-bit integer by 32 bits. The inflate() functions never leave state->bits greater than 24, so an inflatePrime() call could not cause this. The only way this could have happened would be by using inflatePrime() to fill the bit buffer with 32 bits, and then calling inflatePrime() a *second* time asking to insert zero bits, for some reason. This commit assures that a shift by 32 bits does not occur even in that case. --- inflate.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/inflate.c b/inflate.c index df4c56a1..0cbed041 100644 --- a/inflate.c +++ b/inflate.c @@ -190,6 +190,8 @@ int32_t Z_EXPORT PREFIX(inflatePrime)(PREFIX3(stream) *strm, int32_t bits, int32 if (inflateStateCheck(strm)) return Z_STREAM_ERROR; + if (bits == 0) + return Z_OK; INFLATE_PRIME_HOOK(strm, bits, value); /* hook for IBM Z DFLTCC */ state = (struct inflate_state *)strm->state; if (bits < 0) { -- 2.47.3