diff options
author | Wayne Davison <wayne@opencoder.net> | 2022-08-07 09:27:57 -0700 |
---|---|---|
committer | Wayne Davison <wayne@opencoder.net> | 2022-08-07 09:34:26 -0700 |
commit | 788f11ea6afeb96f0d84f140192165a1ca12ade4 (patch) | |
tree | 4ae06c373ba86152768d58bd24ab5d36d207764d | |
parent | b7fdc9ef0e5fe2d179058c0ce326c9075f64443c (diff) | |
download | rsync-788f11ea6afeb96f0d84f140192165a1ca12ade4.tar.gz |
Fix zlib bug with a large gzip header extra field
From zlib commit eff308af425b67093bab25f80f1ae950166bece1.
Fixes CVE-2022-37434.
-rw-r--r-- | zlib/inflate.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/zlib/inflate.c b/zlib/inflate.c index e43abd9e..d15132ea 100644 --- a/zlib/inflate.c +++ b/zlib/inflate.c @@ -739,9 +739,10 @@ int flush; copy = state->length; if (copy > have) copy = have; if (copy) { + len = state->head->extra_len - state->length; if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + len < state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); |