Fix bug that accepted invalid zlib header when windowBits is zero.

When windowBits is zero, the size of the sliding window comes from
the zlib header.  The allowed values of the four-bit field are
0..7, but when windowBits is zero, values greater than 7 are
permitted and acted upon, resulting in large, mostly unused memory
allocations.  This fix rejects such invalid zlib headers.

diff --git a/inflate.c b/inflate.c
index 0b2ee2fecdd37b2710b6a7a8f6b49ba49df19074..1b9400824c60ea4bb12c724627a032716f84d193 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -640,9 +640,9 @@ int ZEXPORT inflate(z_stream *strm, int flush) {
             }
             DROPBITS(4);
             len = BITS(4) + 8;
-            if (state->wbits == 0) {
+            if (state->wbits == 0)
                 state->wbits = len;
-            } else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;