From: Sebastian Pop <s.pop@samsung.com>
Date: Tue, 26 Mar 2019 16:59:45 +0000 (-0500)
Subject: fix oss-fuzz/13863
X-Git-Tag: 1.9.9-b1~498
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=d62321622a3bbff0633a55f6525d8d64887a0bb7;p=thirdparty%2Fzlib-ng.git

fix oss-fuzz/13863

The oss fuzzers started failing with the following assert
```
ASSERT: 0 == memcmp(data + offset, buf, len)
```
after the following patch has been pulled in the tree:

```
commit 20ca64fa5d2d8a7421ed86b68709ef971dcfbddf
Author: Sebastian Pop <s.pop@samsung.com>
Date:   Wed Mar 6 14:16:20 2019 -0600

    define and use chunkmemset instead of byte_memset for INFFAST_CHUNKSIZE
```

The function chunkcopysafe is assuming that the input `len` is less than 16 bytes:
```
    if ((safe - out) < (ptrdiff_t)INFFAST_CHUNKSIZE) {
```
but we were called with `len = 22` because `safe` was defined too small:

```
-    safe = out + (strm->avail_out - INFFAST_CHUNKSIZE);
```
and the difference `safe - out` was 16 bytes smaller than the actual `len`.
The patch fixes the initialization of `safe` to:
```
+    safe = out + strm->avail_out;
```
---

diff --git a/inffast.c b/inffast.c
index f2811ef82..bd9b2a1c4 100644
--- a/inffast.c
+++ b/inffast.c
@@ -138,7 +138,7 @@ void ZLIB_INTERNAL inflate_fast(PREFIX3(stream) *strm, unsigned long start) {
     end = out + (strm->avail_out - (INFLATE_FAST_MIN_LEFT - 1));
 
 #ifdef INFFAST_CHUNKSIZE
-    safe = out + (strm->avail_out - INFFAST_CHUNKSIZE);
+    safe = out + strm->avail_out;
 #endif
 #ifdef INFLATE_STRICT
     dmax = state->dmax;