| Patrick Williams | 92b42cb | 2022-09-03 06:53:57 -0500 | [diff] [blame^] | 1 | From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 |
| 2 | From: Mark Adler <fork@madler.net> |
| 3 | Date: Mon, 8 Aug 2022 10:50:09 -0700 |
| 4 | Subject: [PATCH] Fix extra field processing bug that dereferences NULL |
| 5 | state->head. |
| 6 | |
| 7 | The recent commit to fix a gzip header extra field processing bug |
| 8 | introduced the new bug fixed here. |
| 9 | |
| 10 | CVE: CVE-2022-37434 |
| 11 | Upstream-Status: Backport [https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d] |
| 12 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 13 | --- |
| 14 | inflate.c | 4 ++-- |
| 15 | 1 file changed, 2 insertions(+), 2 deletions(-) |
| 16 | |
| 17 | diff --git a/inflate.c b/inflate.c |
| 18 | index 7a72897..2a3c4fe 100644 |
| 19 | --- a/inflate.c |
| 20 | +++ b/inflate.c |
| 21 | @@ -763,10 +763,10 @@ int flush; |
| 22 | copy = state->length; |
| 23 | if (copy > have) copy = have; |
| 24 | if (copy) { |
| 25 | - len = state->head->extra_len - state->length; |
| 26 | if (state->head != Z_NULL && |
| 27 | state->head->extra != Z_NULL && |
| 28 | - len < state->head->extra_max) { |
| 29 | + (len = state->head->extra_len - state->length) < |
| 30 | + state->head->extra_max) { |
| 31 | zmemcpy(state->head->extra + len, next, |
| 32 | len + copy > state->head->extra_max ? |
| 33 | state->head->extra_max - len : copy); |
| 34 | -- |
| 35 | 2.37.2 |
| 36 | |