From: Mika Lindqvist <postmaster@raasu.org>
Date: Fri, 19 Aug 2022 12:00:21 +0000 (+0300)
Subject: If the extra field was larger than the space the user provided with
X-Git-Tag: 2.1.0-beta1~170
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9309904fe79cd60599259022bd2aab2a3e1fb0d8;p=thirdparty%2Fzlib-ng.git

If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.

See #1323.
---

diff --git a/inflate.c b/inflate.c
index 4bd9b938a..6085fffac 100644
--- a/inflate.c
+++ b/inflate.c
@@ -552,9 +552,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                 if (copy) {
                     if (state->head != NULL && state->head->extra != NULL) {
                         len = state->head->extra_len - state->length;
-                        memcpy(state->head->extra + len, next,
-                                len + copy > state->head->extra_max ?
-                                state->head->extra_max - len : copy);
+                        if (len < state->head->extra_max) {
+                            memcpy(state->head->extra + len, next,
+                                    len + copy > state->head->extra_max ?
+                                    state->head->extra_max - len : copy);
+                        }
                     }
                     if ((state->flags & 0x0200) && (state->wrap & 4)) {
                         state->check = PREFIX(crc32)(state->check, next, copy);