Skip to content
This repository has been archived by the owner on May 19, 2024. It is now read-only.

Commit

Permalink
zlib: backport null dereference fix
Browse files Browse the repository at this point in the history
The curl developers found test case that crashed in their testing when
using zlib patched against CVE-2022-37434, same patch we've backported
in commit 7df6795 ("zlib: backport fix for heap-based buffer
over-read (CVE-2022-37434)"). So we need to backport following patch in
order to fix issue introduced in that previous CVE-2022-37434 fix.

References: curl/curl#9271
Fixes: 7df6795 ("zlib: backport fix for heap-based buffer over-read (CVE-2022-37434)")
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry picked from commit f443e9d)
  • Loading branch information
ynezz committed Aug 9, 2022
1 parent 5e0173d commit 707ec48
Show file tree
Hide file tree
Showing 2 changed files with 30 additions and 1 deletion.
2 changes: 1 addition & 1 deletion package/libs/zlib/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ include $(TOPDIR)/rules.mk

PKG_NAME:=zlib
PKG_VERSION:=1.2.11
PKG_RELEASE:=5
PKG_RELEASE:=6

PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz
PKG_SOURCE_URL:=@SF/libpng http://www.zlib.net
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
From: Mark Adler <fork@madler.net>
Date: Mon, 8 Aug 2022 10:50:09 -0700
Subject: [PATCH] Fix extra field processing bug that dereferences NULL
state->head.

The recent commit to fix a gzip header extra field processing bug
introduced the new bug fixed here.
---
inflate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/inflate.c b/inflate.c
index 7a7289749..2a3c4fe98 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,10 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);

0 comments on commit 707ec48

Please sign in to comment.