Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. Bug: http://b/242299736 Test: TreeHugger Change-Id: Ic0a84a7755487f3d3b2c09abd2fd6fdd58b6d4e0
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-11-23 16:06:41 +0000
committer: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-11-23 16:06:41 +0000
commit: cc6c2db43efa8aab4ceabbfa621408bb8a8f6fba (patch)
tree: 0d025eaa66ed0c5c30fbcf6ba8bff3ce3b916388
parent: 661c183e19d3a6848a046f1db973f5725c7f2204 (diff)
download: zlib-cc6c2db43efa8aab4ceabbfa621408bb8a8f6fba.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/src/inflate.c b/src/inflate.c
index ac333e8..cd01857 100644
--- a/src/inflate.c
+++ b/src/inflate.c
@@ -759,8 +759,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-11-23 16:06:41 +0000
committer	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-11-23 16:06:41 +0000
commit	cc6c2db43efa8aab4ceabbfa621408bb8a8f6fba (patch)
tree	0d025eaa66ed0c5c30fbcf6ba8bff3ce3b916388
parent	661c183e19d3a6848a046f1db973f5725c7f2204 (diff)
download	zlib-cc6c2db43efa8aab4ceabbfa621408bb8a8f6fba.tar.gz