https://bugs.gentoo.org/863851 https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d (see https://github.com/curl/curl/issues/9271) From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Sat, 30 Jul 2022 15:51:11 -0700 Subject: [PATCH] Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. --- a/inflate.c +++ b/inflate.c @@ -763,9 +763,10 @@ int flush; copy = state->length; if (copy > have) copy = have; if (copy) { + len = state->head->extra_len - state->length; if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + len < state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Mon, 8 Aug 2022 10:50:09 -0700 Subject: [PATCH] Fix extra field processing bug that dereferences NULL state->head. The recent commit to fix a gzip header extra field processing bug introduced the new bug fixed here. --- a/inflate.c +++ b/inflate.c @@ -763,10 +763,10 @@ int flush; copy = state->length; if (copy > have) copy = have; if (copy) { - len = state->head->extra_len - state->length; if (state->head != Z_NULL && state->head->extra != Z_NULL && - len < state->head->extra_max) { + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy);