From 44bad37ef1a142a150da0c3ca86ba87178e8e463 Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Thu, 26 Nov 2015 22:52:25 -0800
Subject: [PATCH] Fix bug that accepted invalid zlib header when windowBits is
 zero.

When windowBits is zero, the size of the sliding window comes from
the zlib header.  The allowed values of the four-bit field are
0..7, but when windowBits is zero, values greater than 7 are
permitted and acted upon, resulting in large, mostly unused memory
allocations.  This fix rejects such invalid zlib headers.
---
 inflate.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inflate.c b/inflate.c
index 0b2ee2fe..1b940082 100644
--- a/inflate.c
+++ b/inflate.c
@@ -640,9 +640,9 @@ int ZEXPORT inflate(z_stream *strm, int flush) {
             }
             DROPBITS(4);
             len = BITS(4) + 8;
-            if (state->wbits == 0) {
+            if (state->wbits == 0)
                 state->wbits = len;
-            } else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;
-- 
2.47.2