If the extra field was larger than the space the user provided with

inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. See #1323.
author: Mika Lindqvist <postmaster@raasu.org> 2022-08-19 15:00:21 +0300
committer: Hans Kristian Rosbach <hk-github@circlestorm.org> 2023-03-17 21:27:56 +0100
commit: 85ce8e2da8630b8d1d665bc76a96f998e9041f76 (patch)
tree: 00e179a4d4e0f3ab35d9b0a449382c3b7226bde3
parent: c1d2326e7097b3ad2bc1890acb663d6d0bf88f1f (diff)
1 files changed, 5 insertions, 3 deletions
diff --git a/inflate.c b/inflate.c
index 5a774fa..3990eb3 100644
--- a/inflate.c
+++ b/inflate.c
@@ -509,9 +509,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                 if (copy) {
                     if (state->head != NULL && state->head->extra != NULL) {
                         len = state->head->extra_len - state->length;
-                        memcpy(state->head->extra + len, next,
-                                len + copy > state->head->extra_max ?
-                                state->head->extra_max - len : copy);
+                        if (len < state->head->extra_max) {
+                            memcpy(state->head->extra + len, next,
+                                    len + copy > state->head->extra_max ?
+                                    state->head->extra_max - len : copy);
+                        }
                     }
                     if ((state->flags & 0x0200) && (state->wrap & 4))
                         state->check = PREFIX(crc32)(state->check, next, copy);
author	Mika Lindqvist <postmaster@raasu.org>	2022-08-19 15:00:21 +0300
committer	Hans Kristian Rosbach <hk-github@circlestorm.org>	2023-03-17 21:27:56 +0100
commit	85ce8e2da8630b8d1d665bc76a96f998e9041f76 (patch)
tree	00e179a4d4e0f3ab35d9b0a449382c3b7226bde3
parent	c1d2326e7097b3ad2bc1890acb663d6d0bf88f1f (diff)