Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded.
3 years ago · eff308af42
parent b8bd09801f
commit eff308af42
1 changed files with 3 additions and 2 deletions
--- a/inflate.c
+++ b/inflate.c
@ -763,9 +763,10 @@ int flush;
                copy = state->length;
                if (copy > have) copy = have;
                if (copy) {
+                    len = state->head->extra_len - state->length;
                    if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        len < state->head->extra_max) {
                        zmemcpy(state->head->extra + len, next,
                                len + copy > state->head->extra_max ?
                                state->head->extra_max - len : copy);