From: Hans Wennborg <hans@chromium.org>
Date: Tue, 30 Jan 2024 00:39:52 +0000 (-0800)
Subject: Fix pending buffer overflow assert with LIT_MEM allocation.
X-Git-Tag: 2.2.0~93
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=101589d3503d956ca79b7e41714fdfcb616e429b;p=thirdparty%2Fzlib-ng.git

Fix pending buffer overflow assert with LIT_MEM allocation.

Since each element in s->d_buf is 2 bytes, the sx index should be
multiplied by 2 in the assert.

Fixes madler/zlib#897

madler/zlib#ee474ff2d11715485a87b123edbdd615ba218b88
---

diff --git a/trees.c b/trees.c
index d10f4a49..e3e02a48 100644
--- a/trees.c
+++ b/trees.c
@@ -738,7 +738,7 @@ static void compress_block(deflate_state *s, const ct_data *ltree, const ct_data
 
             /* Check for no overlay of pending_buf on needed symbols */
 #ifdef LIT_MEM
-            Assert(s->pending < (s->lit_bufsize << 1) + sx, "pending_buf overflow");
+            Assert(s->pending < 2 * (s->lit_bufsize + sx), "pending_buf overflow");
 #else
             Assert(s->pending < s->lit_bufsize + sx, "pending_buf overflow");
 #endif