aboutsummaryrefslogtreecommitdiff
path: root/inflate.c
diff options
context:
space:
mode:
authorMark Adler <fork@madler.net>2022-07-30 15:51:11 -0700
committerMark Adler <fork@madler.net>2022-07-30 15:58:02 -0700
commiteff308af425b67093bab25f80f1ae950166bece1 (patch)
tree9608b2d62ef5d0568ed68123152e9e46d8077f6d /inflate.c
parentb8bd09801f4a2c224655e14edffc5793943a33d2 (diff)
downloadzlib-eff308af425b67093bab25f80f1ae950166bece1.tar.gz
zlib-eff308af425b67093bab25f80f1ae950166bece1.tar.bz2
zlib-eff308af425b67093bab25f80f1ae950166bece1.zip
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded.
Diffstat (limited to 'inflate.c')
-rw-r--r--inflate.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/inflate.c b/inflate.c
index 7be8c63..7a72897 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
763 copy = state->length; 763 copy = state->length;
764 if (copy > have) copy = have; 764 if (copy > have) copy = have;
765 if (copy) { 765 if (copy) {
766 len = state->head->extra_len - state->length;
766 if (state->head != Z_NULL && 767 if (state->head != Z_NULL &&
767 state->head->extra != Z_NULL) { 768 state->head->extra != Z_NULL &&
768 len = state->head->extra_len - state->length; 769 len < state->head->extra_max) {
769 zmemcpy(state->head->extra + len, next, 770 zmemcpy(state->head->extra + len, next,
770 len + copy > state->head->extra_max ? 771 len + copy > state->head->extra_max ?
771 state->head->extra_max - len : copy); 772 state->head->extra_max - len : copy);