From: Nathan Moinvaziri <nathan@nathanm.com>
Date: Tue, 25 Feb 2020 13:01:30 +0000 (-0800)
Subject: Fixed segmentation fault in deflate_quick() when switching levels using deflateParam... 
X-Git-Tag: 1.9.9-b1~326
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=b598da260b65d6e71a291ad37ae8e57c74476df0;p=thirdparty%2Fzlib-ng.git

Fixed segmentation fault in deflate_quick() when switching levels using deflateParam. deflateInit would be initialized with a window size greater than 8K then deflateParams called to switch to level 1 without updating to w_size and the fault would occur because deflate_quick was not checking w_size bounds on dist when accessing quick_dist_codes.
---

diff --git a/arch/x86/deflate_quick.c b/arch/x86/deflate_quick.c
index 74b904600..abc4334a7 100644
--- a/arch/x86/deflate_quick.c
+++ b/arch/x86/deflate_quick.c
@@ -209,6 +209,10 @@ static inline Pos quick_insert_string(deflate_state *const s, const Pos str) {
 ZLIB_INTERNAL block_state deflate_quick(deflate_state *s, int flush) {
     IPos hash_head;
     unsigned dist, match_len;
+    unsigned int wsize = s->w_size;
+
+    if (wsize > 8192)
+        wsize = 8192;
 
     if (s->block_open == 0) {
         static_emit_tree(s, flush);
@@ -237,7 +241,7 @@ ZLIB_INTERNAL block_state deflate_quick(deflate_state *s, int flush) {
             hash_head = quick_insert_string(s, s->strstart);
             dist = s->strstart - hash_head;
 
-            if (dist > 0 && (dist-1) < (s->w_size - 1)) {
+            if (dist > 0 && (dist-1) < (wsize - 1)) {
                 match_len = compare258(s->window + s->strstart, s->window + hash_head);
 
                 if (match_len >= MIN_MATCH) {