git: 77cd23716ffb - releng/13.0 - zlib: Fix a bug when getting a gzip header extra field with inflate().
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 30 Aug 2022 23:15:05 UTC
The branch releng/13.0 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=77cd23716ffbd23a2f8773c599c742641e2b5ece commit 77cd23716ffbd23a2f8773c599c742641e2b5ece Author: Mark Adler <fork@madler.net> AuthorDate: 2022-07-30 22:51:11 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2022-08-30 22:57:49 +0000 zlib: Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1) (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d) (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7) (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed) (cherry picked from commit 10cc2bf5f7a592981ee00d22eb13e100beed1e64) Approved by: so Security: CVE-2022-37434 --- sys/contrib/zlib/inflate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c index 968f98501e57..29f78c6fedda 100644 --- a/sys/contrib/zlib/inflate.c +++ b/sys/contrib/zlib/inflate.c @@ -759,8 +759,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy);