1From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001 2From: Hitendra Prajapati <hprajapati@mvista.com> 3Date: Wed, 17 Aug 2022 10:15:57 +0530 4Subject: [PATCH] CVE-2022-37434 5 6Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d] 7CVE: CVE-2022-37434 8Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> 9 10Fix a bug when getting a gzip header extra field with inflate(). 11 12If the extra field was larger than the space the user provided with 13inflateGetHeader(), and if multiple calls of inflate() delivered 14the extra header data, then there could be a buffer overflow of the 15provided space. This commit assures that provided space is not 16exceeded. 17 18 Fix extra field processing bug that dereferences NULL state->head. 19 20The recent commit to fix a gzip header extra field processing bug 21introduced the new bug fixed here. 22--- 23 inflate.c | 5 +++-- 24 1 file changed, 3 insertions(+), 2 deletions(-) 25 26diff --git a/inflate.c b/inflate.c 27index ac333e8..cd01857 100644 28--- a/inflate.c 29+++ b/inflate.c 30@@ -759,8 +759,9 @@ int flush; 31 if (copy > have) copy = have; 32 if (copy) { 33 if (state->head != Z_NULL && 34- state->head->extra != Z_NULL) { 35- len = state->head->extra_len - state->length; 36+ state->head->extra != Z_NULL && 37+ (len = state->head->extra_len - state->length) < 38+ state->head->extra_max) { 39 zmemcpy(state->head->extra + len, next, 40 len + copy > state->head->extra_max ? 41 state->head->extra_max - len : copy); 42-- 432.25.1 44 45