summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThiago Macieira <thiago.macieira@intel.com>2022-09-02 13:13:45 -0300
committerThiago Macieira <thiago.macieira@intel.com>2022-09-06 00:45:20 -0300
commit12dc1dc09d73f5400e1e77181749793885ed9ffc (patch)
treea4b64ab2788ef84311dd3ff82876eea3e83660cc
parent9a43d9e559ffe1ca39f6354a7c331ab42c533db0 (diff)
3rdparty: apply a fix to the last zlib fixv6.3.2
Source: https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Change-Id: Ic6547f8247454b47baa8fffd17111732eb074b0a Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
-rw-r--r--src/3rdparty/zlib/CVE-2022-37434.patch (renamed from src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch)33
-rw-r--r--src/3rdparty/zlib/src/inflate.c4
2 files changed, 35 insertions, 2 deletions
diff --git a/src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch b/src/3rdparty/zlib/CVE-2022-37434.patch
index 808f88f142..db2c3ded14 100644
--- a/src/3rdparty/zlib/0001-Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch
+++ b/src/3rdparty/zlib/CVE-2022-37434.patch
@@ -33,3 +33,36 @@ index 7be8c63..7a72897 100644
--
2.37.1
+
+From 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d Mon Sep 17 00:00:00 2001
+From: Mark Adler <fork@madler.net>
+Date: Mon, 8 Aug 2022 10:50:09 -0700
+Subject: [PATCH] Fix extra field processing bug that dereferences NULL
+ state->head.
+
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/inflate.c b/inflate.c
+index 7a72897..2a3c4fe 100644
+--- a/inflate.c
++++ b/inflate.c
+@@ -763,10 +763,10 @@ int flush;
+ copy = state->length;
+ if (copy > have) copy = have;
+ if (copy) {
+- len = state->head->extra_len - state->length;
+ if (state->head != Z_NULL &&
+ state->head->extra != Z_NULL &&
+- len < state->head->extra_max) {
++ (len = state->head->extra_len - state->length) <
++ state->head->extra_max) {
+ zmemcpy(state->head->extra + len, next,
+ len + copy > state->head->extra_max ?
+ state->head->extra_max - len : copy);
+--
+2.37.1
+
diff --git a/src/3rdparty/zlib/src/inflate.c b/src/3rdparty/zlib/src/inflate.c
index 7a72897492..2a3c4fe984 100644
--- a/src/3rdparty/zlib/src/inflate.c
+++ b/src/3rdparty/zlib/src/inflate.c
@@ -763,10 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
- len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
state->head->extra != Z_NULL &&
- len < state->head->extra_max) {
+ (len = state->head->extra_len - state->length) <
+ state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);