Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. Bug: http://b/242299736 Test: TreeHugger Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140
author: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-11-22 22:00:13 +0000
committer: Sadaf Ebrahimi <sadafebrahimi@google.com> 2022-11-22 22:53:34 +0000
commit: e5a6e35a651c42d3a813e24af1000a3163da8a1b (patch)
tree: c57c88c77fbc80b596ee8b71adf1bdb8a6ea1616 /inflate.c
parent: dc18fc32e1d3b35b578f1691a6ff92e40c82564b (diff)
download: zlib-e5a6e35a651c42d3a813e24af1000a3163da8a1b.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/inflate.c b/inflate.c
index 68902e8..9057a57 100644
--- a/inflate.c
+++ b/inflate.c
@@ -760,8 +760,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);
author	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-11-22 22:00:13 +0000
committer	Sadaf Ebrahimi <sadafebrahimi@google.com>	2022-11-22 22:53:34 +0000
commit	e5a6e35a651c42d3a813e24af1000a3163da8a1b (patch)
tree	c57c88c77fbc80b596ee8b71adf1bdb8a6ea1616 /inflate.c
parent	dc18fc32e1d3b35b578f1691a6ff92e40c82564b (diff)
download	zlib-e5a6e35a651c42d3a813e24af1000a3163da8a1b.tar.gz