| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 |
| 2 | From: Mark Adler <fork@madler.net> |
| 3 | Date: Sat, 30 Jul 2022 15:51:11 -0700 |
| 4 | Subject: [PATCH] Fix a bug when getting a gzip header extra field with inflate(). |
| 5 | |
| 6 | If the extra field was larger than the space the user provided with |
| 7 | inflateGetHeader(), and if multiple calls of inflate() delivered |
| 8 | the extra header data, then there could be a buffer overflow of the |
| 9 | provided space. This commit assures that provided space is not |
| 10 | exceeded. |
| 11 | |
| 12 | CVE: CVE-2022-37434 |
| 13 | Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166be] |
| 14 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 15 | --- |
| 16 | inflate.c | 5 +++-- |
| 17 | 1 file changed, 3 insertions(+), 2 deletions(-) |
| 18 | |
| 19 | diff --git a/inflate.c b/inflate.c |
| 20 | index 7be8c63..7a72897 100644 |
| 21 | --- a/inflate.c |
| 22 | +++ b/inflate.c |
| 23 | @@ -763,9 +763,10 @@ int flush; |
| 24 | copy = state->length; |
| 25 | if (copy > have) copy = have; |
| 26 | if (copy) { |
| 27 | + len = state->head->extra_len - state->length; |
| 28 | if (state->head != Z_NULL && |
| 29 | - state->head->extra != Z_NULL) { |
| 30 | - len = state->head->extra_len - state->length; |
| 31 | + state->head->extra != Z_NULL && |
| 32 | + len < state->head->extra_max) { |
| 33 | zmemcpy(state->head->extra + len, next, |
| 34 | len + copy > state->head->extra_max ? |
| 35 | state->head->extra_max - len : copy); |
| 36 | -- |
| 37 | 2.37.2 |
| 38 | |