From e5a6e35a651c42d3a813e24af1000a3163da8a1b Mon Sep 17 00:00:00 2001 From: Sadaf Ebrahimi Date: Tue, 22 Nov 2022 22:00:13 +0000 Subject: Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. Bug: http://b/242299736 Test: TreeHugger Change-Id: I4eabb3e135c1568e06b2b9740651a3ae11b21140 --- contrib/optimizations/inflate.c | 5 +++-- inflate.c | 5 +++-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/contrib/optimizations/inflate.c b/contrib/optimizations/inflate.c index 81d558b..93776ac 100644 --- a/contrib/optimizations/inflate.c +++ b/contrib/optimizations/inflate.c @@ -771,8 +771,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); diff --git a/inflate.c b/inflate.c index 68902e8..9057a57 100644 --- a/inflate.c +++ b/inflate.c @@ -760,8 +760,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); -- cgit v1.2.3