aboutsummaryrefslogtreecommitdiff
path: root/inflate.c
diff options
context:
space:
mode:
authorMark Adler <madler@alumni.caltech.edu>2023-02-17 00:06:32 -0800
committerMark Adler <madler@alumni.caltech.edu>2023-02-17 00:06:32 -0800
commit12b345c4309b37ab905e7e702021c1c2d2c095cc (patch)
treea05fba37e155d16fced4e198644ec624791412ed /inflate.c
parentfa8cd50ada68b873c754766bc73b12080b7b309e (diff)
downloadzlib-12b345c4309b37ab905e7e702021c1c2d2c095cc.tar.gz
zlib-12b345c4309b37ab905e7e702021c1c2d2c095cc.tar.bz2
zlib-12b345c4309b37ab905e7e702021c1c2d2c095cc.zip
Assure that inflatePrime() can't shift a 32-bit integer by 32 bits.
The inflate() functions never leave state->bits greater than 24, so an inflatePrime() call could not cause this. The only way this could have happened would be by using inflatePrime() to fill the bit buffer with 32 bits, and then calling inflatePrime() a *second* time asking to insert zero bits, for some reason. This commit assures that a shift by 32 bits does not occur even in that case.
Diffstat (limited to 'inflate.c')
-rw-r--r--inflate.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/inflate.c b/inflate.c
index 8acbef4..ef60267 100644
--- a/inflate.c
+++ b/inflate.c
@@ -255,6 +255,8 @@ int value;
255 struct inflate_state FAR *state; 255 struct inflate_state FAR *state;
256 256
257 if (inflateStateCheck(strm)) return Z_STREAM_ERROR; 257 if (inflateStateCheck(strm)) return Z_STREAM_ERROR;
258 if (bits == 0)
259 return Z_OK;
258 state = (struct inflate_state FAR *)strm->state; 260 state = (struct inflate_state FAR *)strm->state;
259 if (bits < 0) { 261 if (bits < 0) {
260 state->hold = 0; 262 state->hold = 0;