This is the initial fix combined with a fix for a NULL deref introduced
in the initial fix.
ok millert, help from tj
commit
eff308af425b67093bab25f80f1ae950166bece1
Author: Mark Adler <fork@madler.net>
Date: Sat Jul 30 15:51:11 2022 -0700
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
https://github.com/madler/zlib/commit/
eff308af425b67093bab25f80f1ae950166bece1
commit
1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (HEAD -> develop, origin/develop)
Author: Mark Adler <fork@madler.net>
Date: Mon Aug 8 10:50:09 2022 -0700
Fix extra field processing bug that dereferences NULL state->head.
The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
https://github.com/madler/zlib/commit/
1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
-/* $OpenBSD: inflate.c,v 1.12 2022/05/08 14:04:22 tb Exp $ */
+/* $OpenBSD: inflate.c,v 1.13 2022/08/09 07:37:35 tb Exp $ */
/* inflate.c -- zlib decompression
* Copyright (C) 1995-2022 Mark Adler
* For conditions of distribution and use, see copyright notice in zlib.h
if (copy > have) copy = have;
if (copy) {
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);
projects / openbsd / commitdiff