diff options
| author | Tom Rini <trini@konsulko.com> | 2024-04-12 12:57:13 -0600 |
|---|---|---|
| committer | Tom Rini <trini@konsulko.com> | 2024-04-12 12:57:13 -0600 |
| commit | 4914263c9a14315390d3ccc4816cf3a94cfd156d (patch) | |
| tree | c74fb192a9db046df2a004380d0512391bc68bc3 /lib/zlib/inflate.c | |
| parent | ef8ef5f77c9a998f76a48277a883af1645b54117 (diff) | |
| parent | 26beded3d094d527c3287f1df144cf155290e4ac (diff) | |
Merge patch series "zlib: Address CVE-2016-9841"
Michal Simek <michal.simek@amd.com> says:
It looks like that only CVE-2016-9841 is not fixed and this series is
trying to address it. The first two patches are just preparation based on
changes which happened in past. The third one is actual fix and the last
one is following what has been done in Linux kernel long time ago and don't
use incorrect zlib version string.
I tested it with and I can't see any issue.
./test/py/test.py --bd sandbox --build -s
And gitlab CI is also not showing any issue.
Diffstat (limited to 'lib/zlib/inflate.c')
| -rw-r--r-- | lib/zlib/inflate.c | 31 |
1 files changed, 14 insertions, 17 deletions
diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c index 8f767b7b9d2..f7e81fc8b2a 100644 --- a/lib/zlib/inflate.c +++ b/lib/zlib/inflate.c @@ -21,7 +21,7 @@ int ZEXPORT inflateReset(z_streamp strm) state->head = Z_NULL; state->wsize = 0; state->whave = 0; - state->write = 0; + state->wnext = 0; state->hold = 0; state->bits = 0; state->lencode = state->distcode = state->next = state->codes; @@ -30,14 +30,11 @@ int ZEXPORT inflateReset(z_streamp strm) return Z_OK; } -int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, +int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, int stream_size) { struct inflate_state FAR *state; - if (version == Z_NULL || version[0] != ZLIB_VERSION[0] || - stream_size != (int)(sizeof(z_stream))) - return Z_VERSION_ERROR; if (strm == Z_NULL) return Z_STREAM_ERROR; strm->msg = Z_NULL; /* in case we return an error */ if (strm->zalloc == (alloc_func)0) { @@ -70,9 +67,9 @@ int ZEXPORT inflateInit2_(z_streamp strm, int windowBits, const char *version, return inflateReset(strm); } -int ZEXPORT inflateInit_(z_streamp strm, const char *version, int stream_size) +int ZEXPORT inflateInit_(z_streamp strm, int stream_size) { - return inflateInit2_(strm, DEF_WBITS, version, stream_size); + return inflateInit2_(strm, DEF_WBITS, stream_size); } local void fixedtables(struct inflate_state FAR *state) @@ -115,7 +112,7 @@ local int updatewindow(z_streamp strm, unsigned out) /* if window not in use yet, initialize */ if (state->wsize == 0) { state->wsize = 1U << state->wbits; - state->write = 0; + state->wnext = 0; state->whave = 0; } @@ -123,22 +120,22 @@ local int updatewindow(z_streamp strm, unsigned out) copy = out - strm->avail_out; if (copy >= state->wsize) { zmemcpy(state->window, strm->next_out - state->wsize, state->wsize); - state->write = 0; + state->wnext = 0; state->whave = state->wsize; } else { - dist = state->wsize - state->write; + dist = state->wsize - state->wnext; if (dist > copy) dist = copy; - zmemcpy(state->window + state->write, strm->next_out - copy, dist); + zmemcpy(state->window + state->wnext, strm->next_out - copy, dist); copy -= dist; if (copy) { zmemcpy(state->window, strm->next_out - copy, copy); - state->write = copy; + state->wnext = copy; state->whave = state->wsize; } else { - state->write += dist; - if (state->write == state->wsize) state->write = 0; + state->wnext += dist; + if (state->wnext == state->wsize) state->wnext = 0; if (state->whave < state->wsize) state->whave += dist; } } @@ -823,12 +820,12 @@ int ZEXPORT inflate(z_streamp strm, int flush) copy = out - left; if (state->offset > copy) { /* copy from window */ copy = state->offset - copy; - if (copy > state->write) { - copy -= state->write; + if (copy > state->wnext) { + copy -= state->wnext; from = state->window + (state->wsize - copy); } else - from = state->window + (state->write - copy); + from = state->window + (state->wnext - copy); if (copy > state->length) copy = state->length; } else { /* copy from output */ |