]> git.ipfire.org Git - thirdparty/zlib-ng.git/commitdiff
projects / thirdparty / zlib-ng.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ad444f4)
If the extra field was larger than the space the user provided with
authorMika Lindqvist <postmaster@raasu.org>
Fri, 19 Aug 2022 12:00:21 +0000 (15:00 +0300)
committerHans Kristian Rosbach <hk-github@circlestorm.org>
Mon, 5 Sep 2022 09:27:40 +0000 (11:27 +0200)
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.

See #1323.

inflate.c patch | blob | blame | history

diff --git a/inflate.c b/inflate.c
index 4bd9b938a2f1cc4f3e9f81d20410fee72ed72608..6085fffac9b0dffa40a2f03331b867486390348b 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -552,9 +552,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                 if (copy) {
                     if (state->head != NULL && state->head->extra != NULL) {
                         len = state->head->extra_len - state->length;
-                        memcpy(state->head->extra + len, next,
-                                len + copy > state->head->extra_max ?
-                                state->head->extra_max - len : copy);
+                        if (len < state->head->extra_max) {
+                            memcpy(state->head->extra + len, next,
+                                    len + copy > state->head->extra_max ?
+                                    state->head->extra_max - len : copy);
+                        }
                     }
                     if ((state->flags & 0x0200) && (state->wrap & 4)) {
                         state->check = PREFIX(crc32)(state->check, next, copy);
Mirror of https://github.com/zlib-ng/zlib-ng.git