diff options
author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2023-01-05 05:02:31 +0000 |
---|---|---|
committer | Android Build Coastguard Worker <android-build-coastguard-worker@google.com> | 2023-02-14 18:16:06 +0000 |
commit | 6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9 (patch) | |
tree | 39b447b9a386f15fc981e24ad2df65f1d4828a23 | |
parent | b4697d7c49c2bc27cf7e566bc3b3f8378f98bc01 (diff) | |
download | angle-6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9.tar.gz |
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
Bug: http://b/242544249
Test: TreeHugger
Change-Id: I648db086d1e93b9f8b803dd106990afb8cbd2a85
(cherry picked from commit be373a02bd86e8eebae0b18e0d6a61d145ba8a2e)
Merged-In: I648db086d1e93b9f8b803dd106990afb8cbd2a85
-rw-r--r-- | third_party/zlib/contrib/optimizations/inflate.c | 5 | ||||
-rw-r--r-- | third_party/zlib/inflate.c | 5 |
2 files changed, 6 insertions, 4 deletions
diff --git a/third_party/zlib/contrib/optimizations/inflate.c b/third_party/zlib/contrib/optimizations/inflate.c index 4841cd964c..bb223af9c5 100644 --- a/third_party/zlib/contrib/optimizations/inflate.c +++ b/third_party/zlib/contrib/optimizations/inflate.c @@ -772,8 +772,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); diff --git a/third_party/zlib/inflate.c b/third_party/zlib/inflate.c index 7543c33def..a9e2dddba4 100644 --- a/third_party/zlib/inflate.c +++ b/third_party/zlib/inflate.c @@ -761,8 +761,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); |