package/libs/zlib/patches/006-fix-CVE-2022-37434.patch

   1 From eff308af425b67093bab25f80f1ae950166bece1 Mon Sep 17 00:00:00 2001
   2 From: Mark Adler <fork@madler.net>
   3 Date: Sat, 30 Jul 2022 15:51:11 -0700
   4 Subject: [PATCH] Fix a bug when getting a gzip header extra field with
   5  inflate().
   6
   7 If the extra field was larger than the space the user provided with
   8 inflateGetHeader(), and if multiple calls of inflate() delivered
   9 the extra header data, then there could be a buffer overflow of the
  10 provided space. This commit assures that provided space is not
  11 exceeded.
  12 ---
  13  inflate.c | 5 +++--
  14  1 file changed, 3 insertions(+), 2 deletions(-)
  15
  16 diff --git a/inflate.c b/inflate.c
  17 index 7be8c6366..7a7289749 100644
  18 --- a/inflate.c
  19 +++ b/inflate.c
  20 @@ -763,9 +763,10 @@ int flush;
  21                  copy = state->length;
  22                  if (copy > have) copy = have;
  23                  if (copy) {
  24 +                    len = state->head->extra_len - state->length;
  25                      if (state->head != Z_NULL &&
  26 -                        state->head->extra != Z_NULL) {
  27 -                        len = state->head->extra_len - state->length;
  28 +                        state->head->extra != Z_NULL &&
  29 +                        len < state->head->extra_max) {
  30                          zmemcpy(state->head->extra + len, next,
  31                                  len + copy > state->head->extra_max ?
  32                                  state->head->extra_max - len : copy);