Avoid out-of-bounds pointer arithmetic in inflateCopy().
authortb <tb@openbsd.org>
Thu, 5 Sep 2024 16:16:54 +0000 (16:16 +0000)
committertb <tb@openbsd.org>
Thu, 5 Sep 2024 16:16:54 +0000 (16:16 +0000)
from upstream, no ABI or API change.
ok beck deraadt

lib/libz/inflate.c

index 008f508..c4f80cf 100644 (file)
@@ -960,7 +960,7 @@ int ZEXPORT inflate(z_streamp strm, int flush) {
             while (state->have < 19)
                 state->lens[order[state->have++]] = 0;
             state->next = state->codes;
-            state->lencode = (const code FAR *)(state->next);
+            state->lencode = state->distcode = (const code FAR *)(state->next);
             state->lenbits = 7;
             ret = inflate_table(CODES, state->lens, 19, &(state->next),
                                 &(state->lenbits), state->work);