From: Hans Kristian Rosbach Date: Wed, 25 Sep 2024 15:18:49 +0000 (+0200) Subject: Don't use 'dmax' and 'sane' variables unless their checks have been compiled in. X-Git-Tag: 2.2.3~34 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=39e9c86ec0a8f28c2edda8a73120b8b1700f82e8;p=thirdparty%2Fzlib-ng.git Don't use 'dmax' and 'sane' variables unless their checks have been compiled in. --- diff --git a/infback.c b/infback.c index 307d05ca..6e5dcd03 100644 --- a/infback.c +++ b/infback.c @@ -53,14 +53,18 @@ int32_t ZNG_CONDEXPORT PREFIX(inflateBackInit)(PREFIX3(stream) *strm, int32_t wi Tracev((stderr, "inflate: allocated\n")); strm->state = (struct internal_state *)state; - state->dmax = 32768U; state->wbits = (unsigned int)windowBits; state->wsize = 1U << windowBits; state->window = window; state->wnext = 0; state->whave = 0; - state->sane = 1; state->chunksize = FUNCTABLE_CALL(chunksize)(); +#ifdef INFLATE_STRICT + state->dmax = 32768U; +#endif +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + state->sane = 1; +#endif return Z_OK; } diff --git a/inffast_tpl.h b/inffast_tpl.h index 2600dd5a..cd5c79e8 100644 --- a/inffast_tpl.h +++ b/inffast_tpl.h @@ -59,9 +59,6 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) { unsigned char *beg; /* inflate()'s initial strm->next_out */ unsigned char *end; /* while out < end, enough space available */ unsigned char *safe; /* can use chunkcopy provided out < safe */ -#ifdef INFLATE_STRICT - unsigned dmax; /* maximum distance from zlib header */ -#endif unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ unsigned wnext; /* window write index */ @@ -126,9 +123,6 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) { beg = out - (start - strm->avail_out); end = out + (strm->avail_out - (INFLATE_FAST_MIN_LEFT - 1)); safe = out + strm->avail_out; -#ifdef INFLATE_STRICT - dmax = state->dmax; -#endif wsize = state->wsize; whave = state->whave; wnext = state->wnext; @@ -193,7 +187,7 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) { op &= MAX_BITS; /* number of extra bits */ dist += BITS(op); #ifdef INFLATE_STRICT - if (dist > dmax) { + if (dist > state->dmax) { SET_BAD("invalid distance too far back"); break; } @@ -204,11 +198,11 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) { if (dist > op) { /* see if copy from window */ op = dist - op; /* distance back in window */ if (op > whave) { +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR if (state->sane) { SET_BAD("invalid distance too far back"); break; } -#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR if (len <= op - whave) { do { *out++ = 0; @@ -226,6 +220,9 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) { } while (--len); continue; } +#else + SET_BAD("invalid distance too far back"); + break; #endif } from = window; diff --git a/inflate.c b/inflate.c index cfcbf523..fdf80c07 100644 --- a/inflate.c +++ b/inflate.c @@ -73,13 +73,17 @@ int32_t Z_EXPORT PREFIX(inflateResetKeep)(PREFIX3(stream) *strm) { state->last = 0; state->havedict = 0; state->flags = -1; - state->dmax = 32768U; state->head = NULL; state->hold = 0; state->bits = 0; state->lencode = state->distcode = state->next = state->codes; - state->sane = 1; state->back = -1; +#ifdef INFLATE_STRICT + state->dmax = 32768U; +#endif +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + state->sane = 1; +#endif INFLATE_RESET_KEEP_HOOK(strm); /* hook for IBM Z DFLTCC */ Tracev((stderr, "inflate: reset\n")); return Z_OK; @@ -539,7 +543,9 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) { SET_BAD("invalid window size"); break; } +#ifdef INFLATE_STRICT state->dmax = 1U << len; +#endif state->flags = 0; /* indicate zlib header */ Tracev((stderr, "inflate: zlib header ok\n")); strm->adler = state->check = ADLER32_INITIAL_VALUE; @@ -1049,11 +1055,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) { if (state->offset > copy) { /* copy from window */ copy = state->offset - copy; if (copy > state->whave) { +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR if (state->sane) { SET_BAD("invalid distance too far back"); break; } -#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR Trace((stderr, "inflate.c too far\n")); copy -= state->whave; copy = MIN(copy, state->length); @@ -1065,8 +1071,10 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) { } while (--copy); if (state->length == 0) state->mode = LEN; - break; +#else + SET_BAD("invalid distance too far back"); #endif + break; } if (copy > state->wnext) { copy -= state->wnext; @@ -1404,17 +1412,17 @@ int32_t Z_EXPORT PREFIX(inflateCopy)(PREFIX3(stream) *dest, PREFIX3(stream) *sou } int32_t Z_EXPORT PREFIX(inflateUndermine)(PREFIX3(stream) *strm, int32_t subvert) { +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR struct inflate_state *state; if (inflateStateCheck(strm)) return Z_STREAM_ERROR; state = (struct inflate_state *)strm->state; -#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR state->sane = !subvert; return Z_OK; #else + Z_UNUSED(strm); Z_UNUSED(subvert); - state->sane = 1; return Z_DATA_ERROR; #endif } diff --git a/inflate.h b/inflate.h index 30ff7db3..7fd6c44c 100644 --- a/inflate.h +++ b/inflate.h @@ -105,7 +105,6 @@ struct ALIGNED_(64) inflate_state { int havedict; /* true if dictionary provided */ int flags; /* gzip header method and flags, 0 if zlib, or -1 if raw or no header yet */ - unsigned dmax; /* zlib header max distance (INFLATE_STRICT) */ unsigned long check; /* protected copy of check value */ unsigned long total; /* protected copy of output count */ PREFIX(gz_headerp) head; /* where to save gzip header information */ @@ -145,11 +144,17 @@ struct ALIGNED_(64) inflate_state { uint16_t lens[320]; /* temporary storage for code lengths */ uint16_t work[288]; /* work area for code table building */ code codes[ENOUGH]; /* space for code tables */ - int sane; /* if false, allow invalid distance too far */ int back; /* bits back of last unprocessed length/lit */ unsigned was; /* initial length of match */ uint32_t chunksize; /* size of memory copying chunk */ inflate_allocs *alloc_bufs; /* struct for handling memory allocations */ + +#ifdef INFLATE_STRICT + unsigned dmax; /* zlib header max distance (INFLATE_STRICT) */ +#endif +#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR + int sane; /* if false, allow invalid distance too far */ +#endif #ifdef HAVE_ARCH_INFLATE_STATE arch_inflate_state arch; /* architecture-specific extensions */ #endif