| From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 |
| From: Mark Adler <fork@madler.net> |
| Date: Sat, 30 Jul 2022 15:51:11 -0700 |
| Subject: [PATCH] Fix a bug when getting a gzip header extra field with inflate(). |
| |
| If the extra field was larger than the space the user provided with |
| inflateGetHeader(), and if multiple calls of inflate() delivered |
| the extra header data, then there could be a buffer overflow of the |
| provided space. This commit assures that provided space is not |
| exceeded. |
| |
| CVE: CVE-2022-37434 |
| Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166be] |
| Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| --- |
| inflate.c | 5 +++-- |
| 1 file changed, 3 insertions(+), 2 deletions(-) |
| |
| diff --git a/inflate.c b/inflate.c |
| index 7be8c63..7a72897 100644 |
| --- a/inflate.c |
| +++ b/inflate.c |
| @@ -763,9 +763,10 @@ int flush; |
| copy = state->length; |
| if (copy > have) copy = have; |
| if (copy) { |
| + len = state->head->extra_len - state->length; |
| if (state->head != Z_NULL && |
| - state->head->extra != Z_NULL) { |
| - len = state->head->extra_len - state->length; |
| + state->head->extra != Z_NULL && |
| + len < state->head->extra_max) { |
| zmemcpy(state->head->extra + len, next, |
| len + copy > state->head->extra_max ? |
| state->head->extra_max - len : copy); |
| -- |
| 2.37.2 |
| |