Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. Bug: http://b/242544249 Test: TreeHugger Change-Id: I648db086d1e93b9f8b803dd106990afb8cbd2a85
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2023-01-05 05:02:31 +0000
committer: Sadaf Ebrahimi <sadafebrahimi@google.com> 2023-01-05 05:02:31 +0000
commit: b8b2479b4456ff06b3d5496818b836af1dc88818 (patch)
tree: fb1fc40a5e6ea81aae1c1b3cd51c510eab5da0fc
parent: 7f6eb65e4b32140632ff614c2af4ba379540220c (diff)
download: angle-b8b2479b4456ff06b3d5496818b836af1dc88818.tar.gz
2 files changed, 6 insertions, 4 deletions
diff --git a/third_party/zlib/contrib/optimizations/inflate.c b/third_party/zlib/contrib/optimizations/inflate.c
index 81d558bd6e..93776ac579 100644
--- a/third_party/zlib/contrib/optimizations/inflate.c
+++ b/third_party/zlib/contrib/optimizations/inflate.c
@@ -771,8 +771,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
diff --git a/third_party/zlib/inflate.c b/third_party/zlib/inflate.c
index 68902e81bd..9057a574bb 100644
--- a/third_party/zlib/inflate.c
+++ b/third_party/zlib/inflate.c
@@ -760,8 +760,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2023-01-05 05:02:31 +0000
committer	Sadaf Ebrahimi <sadafebrahimi@google.com>	2023-01-05 05:02:31 +0000
commit	b8b2479b4456ff06b3d5496818b836af1dc88818 (patch)
tree	fb1fc40a5e6ea81aae1c1b3cd51c510eab5da0fc
parent	7f6eb65e4b32140632ff614c2af4ba379540220c (diff)
download	angle-b8b2479b4456ff06b3d5496818b836af1dc88818.tar.gz