From: Nathan Moinvaziri <nathan@nathanm.com>
Date: Tue, 22 Oct 2019 02:13:20 +0000 (-0700)
Subject: Fixed buffer read overflow in crc32 folding when allocation size is not a multiple... 
X-Git-Tag: 1.9.9-b1~394
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2d189648d545fbada821e8d0cf0680f4b9064171;p=thirdparty%2Fzlib-ng.git

Fixed buffer read overflow in crc32 folding when allocation size is not a multiple of 16 bytes. zlib-ng/zlib-ng#452
---

diff --git a/arch/x86/crc_folding.c b/arch/x86/crc_folding.c
index 3b358f5f..eae7d28c 100644
--- a/arch/x86/crc_folding.c
+++ b/arch/x86/crc_folding.c
@@ -249,7 +249,7 @@ ZLIB_INTERNAL void crc_fold_copy(deflate_state *const s, unsigned char *dst, con
         goto partial;
     }
 
-    algn_diff = (0 - (uintptr_t)src) & 0xF;
+    algn_diff = ((uintptr_t)0 - (uintptr_t)src) & 0xF;
     if (algn_diff) {
         xmm_crc_part = _mm_loadu_si128((__m128i *)src);
         _mm_storeu_si128((__m128i *)dst, xmm_crc_part);
@@ -311,7 +311,7 @@ ZLIB_INTERNAL void crc_fold_copy(deflate_state *const s, unsigned char *dst, con
             goto done;
 
         dst += 48;
-        xmm_crc_part = _mm_load_si128((__m128i *)src + 3);
+        memcpy(&xmm_crc_part, (__m128i *)src + 3, len);
     } else if (len + 32 >= 0) {
         len += 32;
 
@@ -330,7 +330,7 @@ ZLIB_INTERNAL void crc_fold_copy(deflate_state *const s, unsigned char *dst, con
             goto done;
 
         dst += 32;
-        xmm_crc_part = _mm_load_si128((__m128i *)src + 2);
+        memcpy(&xmm_crc_part, (__m128i *)src + 2, len);
     } else if (len + 48 >= 0) {
         len += 48;
 
@@ -346,12 +346,12 @@ ZLIB_INTERNAL void crc_fold_copy(deflate_state *const s, unsigned char *dst, con
             goto done;
 
         dst += 16;
-        xmm_crc_part = _mm_load_si128((__m128i *)src + 1);
+        memcpy(&xmm_crc_part, (__m128i *)src + 1, len);
     } else {
         len += 64;
         if (len == 0)
             goto done;
-        xmm_crc_part = _mm_load_si128((__m128i *)src);
+        memcpy(&xmm_crc_part, src, len);
     }
 
     _mm_storeu_si128((__m128i *)partial_buf, xmm_crc_part);