From nobody Tue Aug 30 23:15:05 2022
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHNST5bj3z4bXPc;
	Tue, 30 Aug 2022 23:15:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4MHNST57qxz3n7w;
	Tue, 30 Aug 2022 23:15:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1661901305;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6+U8A81E5yyASMqDgSjIFrDBxq+ldSRvI7tFcHfJSBw=;
	b=wsJ1YC/zktgR+PUs+4cCA9rdts3UzL1fIZkAbOxNNF7++bq0yXFTAgeIJKe/5NUs0wBqMs
	MUvdKwxoiWfbx7/+eXVLYMCZsPDFDIgETHzVX6vuvo+UEZA/5P2G+vTJc6J2bZ+62LJaX0
	F16qZkDCcO9sQMczEgfCmPeBSaCGs50lwpG6Sclnezj/mC7MCxFydE9rhxgU9auw5oZPy6
	9Uaguj5kcABBnBPbHoJ8a8N7bnyPkgMZgJ0Y6PP6faV2bgYWBq/LZUf9SiIcjQZhJ4074W
	AC/7LQfrSLO7T0DkZRQfqx7yIK7Xsm2BDtTX5OqOCzOCLBidagztu2yG9Pot0w==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MHNST4B9rzwXP;
	Tue, 30 Aug 2022 23:15:05 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27UNF5ts060874;
	Tue, 30 Aug 2022 23:15:05 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27UNF5IK060873;
	Tue, 30 Aug 2022 23:15:05 GMT
	(envelope-from git)
Date: Tue, 30 Aug 2022 23:15:05 GMT
Message-Id: <202208302315.27UNF5IK060873@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 77cd23716ffb - releng/13.0 - zlib: Fix a bug when getting a gzip header extra field with inflate().
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/releng/13.0
X-Git-Reftype: branch
X-Git-Commit: 77cd23716ffbd23a2f8773c599c742641e2b5ece
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1661901305;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6+U8A81E5yyASMqDgSjIFrDBxq+ldSRvI7tFcHfJSBw=;
	b=ddnOJSqJkBaBsCwla8WtYnvFhBKr7M5ZD1e9lX6gGu9rBuB2UuPNo99anzEV09ZojVV9JK
	CWutLIK66nvOsI+iE2xDyxTHxhwsWJlh2Lfp7kBBvQNUIJPbJAyYqjLCyCXRcshLT1qfTa
	cnGe/KtccYjybI6q69qRfOnhU59B0cZLIhmNckz+VcYkMsJvgeb69OHavHm/9gYpTFVzSZ
	jx9mRkb+6iOKjZw3X6po73Bib8hzqM/jbaHjvI17EhE67TjNhWNEWS79QN/L6ZybSEEbq/
	hQ7pwHOhGR7/CYP11fe4873h7t6UDkQy156rPmIaloavYJct4/s6WmJc1yaXlA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661901305; a=rsa-sha256; cv=none;
	b=h3Ne11khctTKUrKohBEEr6RhVB1WvSAlok+lJ8zq6jZzvVylRI9prWlCvtWp9mL2VSQU74
	o0XIukFy/RWCKvm7GeJebSTXK7P9ZDgzrkCzFL3DQ/2zQ2u8IcvAbCcnkGP3yDhCuYeWsw
	EkIudldKDQo1pNXXHio0jeLRIu67WSKY/ha/My6I+8FoAf6x8mX9jiA2z0PJ27J3HF2FLY
	9D9aOfdF8n05Cd/HN73dfWnwMzCHdxGDUkfxwbOcXlhRBxXnaCpTO66dqJdjM4WKcT+tCI
	gWA73MjaGbShIIIL1Bj8dbSeyMLMfr1llFB/dHOyhCm+78xI3XEIugvcmKavug==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch releng/13.0 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=77cd23716ffbd23a2f8773c599c742641e2b5ece

commit 77cd23716ffbd23a2f8773c599c742641e2b5ece
Author:     Mark Adler <fork@madler.net>
AuthorDate: 2022-07-30 22:51:11 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2022-08-30 22:57:49 +0000

    zlib: Fix a bug when getting a gzip header extra field with inflate().
    
    If the extra field was larger than the space the user provided with
    inflateGetHeader(), and if multiple calls of inflate() delivered
    the extra header data, then there could be a buffer overflow of the
    provided space. This commit assures that provided space is not
    exceeded.
    
    (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1)
    (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d)
    
    (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7)
    (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed)
    (cherry picked from commit 10cc2bf5f7a592981ee00d22eb13e100beed1e64)
    
    Approved by:    so
    Security:       CVE-2022-37434
---
 sys/contrib/zlib/inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c
index 968f98501e57..29f78c6fedda 100644
--- a/sys/contrib/zlib/inflate.c
+++ b/sys/contrib/zlib/inflate.c
@@ -759,8 +759,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);