diff options
author | Thiago Macieira <thiago.macieira@intel.com> | 2022-09-02 13:13:45 -0300 |
---|---|---|
committer | Thiago Macieira <thiago.macieira@intel.com> | 2022-09-06 00:45:20 -0300 |
commit | 12dc1dc09d73f5400e1e77181749793885ed9ffc (patch) | |
tree | a4b64ab2788ef84311dd3ff82876eea3e83660cc | |
parent | 9a43d9e559ffe1ca39f6354a7c331ab42c533db0 (diff) |
3rdparty: apply a fix to the last zlib fixv6.3.2
Source:
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
Change-Id: Ic6547f8247454b47baa8fffd17111732eb074b0a
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r-- | src/3rdparty/zlib/CVE-2022-37434.patch (renamed from src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch) | 33 | ||||
-rw-r--r-- | src/3rdparty/zlib/src/inflate.c | 4 |
2 files changed, 35 insertions, 2 deletions
diff --git a/src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch b/src/3rdparty/zlib/CVE-2022-37434.patch index 808f88f142..db2c3ded14 100644 --- a/src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch +++ b/src/3rdparty/zlib/CVE-2022-37434.patch @@ -33,3 +33,36 @@ index 7be8c63..7a72897 100644 -- 2.37.1 + +From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001 +From: Mark Adler <fork@madler.net> +Date: Mon, 8 Aug 2022 10:50:09 -0700 +Subject: [PATCH] Fix extra field processing bug that dereferences NULL + state->head. + +The recent commit to fix a gzip header extra field processing bug +introduced the new bug fixed here. +--- + inflate.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/inflate.c b/inflate.c +index 7a72897..2a3c4fe 100644 +--- a/inflate.c ++++ b/inflate.c +@@ -763,10 +763,10 @@ int flush; + copy = state->length; + if (copy > have) copy = have; + if (copy) { +- len = state->head->extra_len - state->length; + if (state->head != Z_NULL && + state->head->extra != Z_NULL && +- len < state->head->extra_max) { ++ (len = state->head->extra_len - state->length) < ++ state->head->extra_max) { + zmemcpy(state->head->extra + len, next, + len + copy > state->head->extra_max ? + state->head->extra_max - len : copy); +-- +2.37.1 + diff --git a/src/3rdparty/zlib/src/inflate.c b/src/3rdparty/zlib/src/inflate.c index 7a72897492..2a3c4fe984 100644 --- a/src/3rdparty/zlib/src/inflate.c +++ b/src/3rdparty/zlib/src/inflate.c @@ -763,10 +763,10 @@ int flush; copy = state->length; if (copy > have) copy = have; if (copy) { - len = state->head->extra_len - state->length; if (state->head != Z_NULL && state->head->extra != Z_NULL && - len < state->head->extra_max) { + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy); |