From: Mark Adler <madler@alumni.caltech.edu>
Date: Fri, 27 Nov 2015 06:52:25 +0000 (-0800)
Subject: Fix bug that accepted invalid zlib header when windowBits is zero.
X-Git-Tag: 1.9.9-b1~792^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F58%2Fhead;p=thirdparty%2Fzlib-ng.git

Fix bug that accepted invalid zlib header when windowBits is zero.

When windowBits is zero, the size of the sliding window comes from
the zlib header.  The allowed values of the four-bit field are
0..7, but when windowBits is zero, values greater than 7 are
permitted and acted upon, resulting in large, mostly unused memory
allocations.  This fix rejects such invalid zlib headers.
---

diff --git a/inflate.c b/inflate.c
index 0b2ee2fe..1b940082 100644
--- a/inflate.c
+++ b/inflate.c
@@ -640,9 +640,9 @@ int ZEXPORT inflate(z_stream *strm, int flush) {
             }
             DROPBITS(4);
             len = BITS(4) + 8;
-            if (state->wbits == 0) {
+            if (state->wbits == 0)
                 state->wbits = len;
-            } else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;