Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. Bug: http://b/242544249 Test: TreeHugger Change-Id: I648db086d1e93b9f8b803dd106990afb8cbd2a85 (cherry picked from commit be373a02bd86e8eebae0b18e0d6a61d145ba8a2e) Merged-In: I648db086d1e93b9f8b803dd106990afb8cbd2a85
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2023-01-05 05:02:31 +0000
committer: Android Build Coastguard Worker <android-build-coastguard-worker@google.com> 2023-02-14 18:16:06 +0000
commit: 6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9 (patch)
tree: 39b447b9a386f15fc981e24ad2df65f1d4828a23
parent: b4697d7c49c2bc27cf7e566bc3b3f8378f98bc01 (diff)
download: angle-6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9.tar.gz
2 files changed, 6 insertions, 4 deletions
diff --git a/third_party/zlib/contrib/optimizations/inflate.c b/third_party/zlib/contrib/optimizations/inflate.c
index 4841cd964c..bb223af9c5 100644
--- a/third_party/zlib/contrib/optimizations/inflate.c
+++ b/third_party/zlib/contrib/optimizations/inflate.c
@@ -772,8 +772,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
diff --git a/third_party/zlib/inflate.c b/third_party/zlib/inflate.c
index 7543c33def..a9e2dddba4 100644
--- a/third_party/zlib/inflate.c
+++ b/third_party/zlib/inflate.c
@@ -761,8 +761,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2023-01-05 05:02:31 +0000
committer	Android Build Coastguard Worker <android-build-coastguard-worker@google.com>	2023-02-14 18:16:06 +0000
commit	6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9 (patch)
tree	39b447b9a386f15fc981e24ad2df65f1d4828a23
parent	b4697d7c49c2bc27cf7e566bc3b3f8378f98bc01 (diff)
download	angle-6a020bf505f4eb6d860eccf72ae6d6b4c4b720e9.tar.gz