8cf299
From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
8cf299
From: Mark Adler <fork@madler.net>
8cf299
Date: Sat, 30 Jul 2022 15:51:11 -0700
8cf299
Subject: [PATCH] Fix a bug when getting a gzip header extra field with
8cf299
 inflate().
8cf299
8cf299
If the extra field was larger than the space the user provided with
8cf299
inflateGetHeader(), and if multiple calls of inflate() delivered
8cf299
the extra header data, then there could be a buffer overflow of the
8cf299
provided space. This commit assures that provided space is not
8cf299
exceeded.
8cf299
---
8cf299
 inflate.c | 5 +++--
8cf299
 1 file changed, 3 insertions(+), 2 deletions(-)
8cf299
8cf299
diff --git a/inflate.c b/inflate.c
8cf299
index 7be8c63..7a72897 100644
8cf299
--- a/inflate.c
8cf299
+++ b/inflate.c
8cf299
@@ -763,9 +763,10 @@ int flush;
8cf299
                 copy = state->length;
8cf299
                 if (copy > have) copy = have;
8cf299
                 if (copy) {
8cf299
+                    len = state->head->extra_len - state->length;
8cf299
                     if (state->head != Z_NULL &&
8cf299
-                        state->head->extra != Z_NULL) {
8cf299
-                        len = state->head->extra_len - state->length;
8cf299
+                        state->head->extra != Z_NULL &&
8cf299
+                        len < state->head->extra_max) {
8cf299
                         zmemcpy(state->head->extra + len, next,
8cf299
                                 len + copy > state->head->extra_max ?
8cf299
                                 state->head->extra_max - len : copy);
8cf299
-- 
8cf299
2.35.3
8cf299