diff options
| author | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-11-22 22:00:13 +0000 |
|---|---|---|
| committer | Sadaf Ebrahimi <sadafebrahimi@google.com> | 2022-11-22 22:53:04 +0000 |
| commit | 5abcd199d3375a20b650ce4b7f8a1bb84469cefd (patch) | |
| tree | ce7fc02563d385162f883ad72d8e5a4abadf0033 | |
| parent | ee60e455c3b8d8448cc18b6dd07b6ed0ea2f6c0b (diff) | |
| download | zlib-5abcd199d3375a20b650ce4b7f8a1bb84469cefd.tar.gz | |
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
Bug: http://b/242299736
Test: TreeHugger
Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
| -rw-r--r-- | contrib/optimizations/inflate.c | 5 | ||||
| -rw-r--r-- | inflate.c | 5 |
2 files changed, 6 insertions, 4 deletions
diff --git a/contrib/optimizations/inflate.c b/contrib/optimizations/inflate.c index 81d558b..93776ac 100644 --- a/contrib/optimizations/inflate.c +++ b/contrib/optimizations/inflate.c @@ -771,8 +771,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); @@ -760,8 +760,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); |