webadmin/bpfire
1
0
Fork 0
mirror of https://github.com/vincentmli/bpfire.git synced 2026-04-09 18:45:54 +02:00
Code Issues Packages Projects Releases Wiki Activity

zlib: Incorporate fix for CVE-2022-37434

Browse Source 
https://www.cve.org/CVERecord?id=CVE-2022-37434

Signed-off-by: Peter Müller <peter.mueller@ipfire.org>
Reviewed-by: Michael Tremer <michael.tremer@ipfire.org>
This commit is contained in:
Peter Müller
2022-08-07 09:18:45 +00:00
parent f25f1b55af
commit 30f0ea198d
2 changed files with 33 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
lfs/zlib
View File

@@ -77,6 +77,10 @@ $(subst %,%_BLAKE2,$(objects)) :
$(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects))
@$(PREBUILD)
@rm -rf $(DIR_APP) && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE)
# Fix for CVE-2022-37434
cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/zlib-CVE-2022-37434.patch
cd $(DIR_APP) && CROSS_PREFIX=$(CROSS_PREFIX) ./configure --prefix=$(PREFIX) --shared
cd $(DIR_APP) && make $(MAKETUNING)
cd $(DIR_APP) && make install

29
src/patches/zlib-CVE-2022-37434.patch Normal file
View File

@@ -0,0 +1,29 @@
commit eff308af425b67093bab25f80f1ae950166bece1
Author: Mark Adler <fork@madler.net>
Date: Sat Jul 30 15:51:11 2022 -0700
Fix a bug when getting a gzip header extra field with inflate().
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
diff --git a/inflate.c b/inflate.c
index 7be8c63..7a72897 100644
--- a/inflate.c
+++ b/inflate.c
@@ -763,9 +763,10 @@ int flush;
copy = state->length;
if (copy > have) copy = have;
if (copy) {
+ len = state->head->extra_len - state->length;
if (state->head != Z_NULL &&
- state->head->extra != Z_NULL) {
- len = state->head->extra_len - state->length;
+ state->head->extra != Z_NULL &&
+ len < state->head->extra_max) {
zmemcpy(state->head->extra + len, next,
len + copy > state->head->extra_max ?
state->head->extra_max - len : copy);