aboutsummaryrefslogtreecommitdiff
path: root/inflate.c
diff options
context:
space:
mode:
authorMark Adler <madler@alumni.caltech.edu>2015-11-26 22:52:25 -0800
committerMark Adler <madler@alumni.caltech.edu>2015-11-26 22:52:25 -0800
commit6cef1de7403b553ce8f7e790e38531da6529f34f (patch)
tree10aa1505aa3bf4c35cf8cc5ca69ab926c8276aa9 /inflate.c
parent8f1b3744e52b2adb6475c3cd7a07ff9331e9c2fa (diff)
downloadzlib-6cef1de7403b553ce8f7e790e38531da6529f34f.tar.gz
zlib-6cef1de7403b553ce8f7e790e38531da6529f34f.tar.bz2
zlib-6cef1de7403b553ce8f7e790e38531da6529f34f.zip
Fix bug that accepted invalid zlib header when windowBits is zero.
When windowBits is zero, the size of the sliding window comes from the zlib header. The allowed values of the four-bit field are 0..7, but when windowBits is zero, values greater than 7 are permitted and acted upon, resulting in large, mostly unused memory allocations. This fix rejects such invalid zlib headers.
Diffstat (limited to 'inflate.c')
-rw-r--r--inflate.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/inflate.c b/inflate.c
index 72e8438..5a687a6 100644
--- a/inflate.c
+++ b/inflate.c
@@ -674,7 +674,7 @@ int flush;
674 len = BITS(4) + 8; 674 len = BITS(4) + 8;
675 if (state->wbits == 0) 675 if (state->wbits == 0)
676 state->wbits = len; 676 state->wbits = len;
677 else if (len > state->wbits) { 677 if (len > 15 || len > state->wbits) {
678 strm->msg = (char *)"invalid window size"; 678 strm->msg = (char *)"invalid window size";
679 state->mode = BAD; 679 state->mode = BAD;
680 break; 680 break;