Fix bug that accepted invalid zlib header when windowBits is zero.

When windowBits is zero, the size of the sliding window comes from the zlib header. The allowed values of the four-bit field are 0..7, but when windowBits is zero, values greater than 7 are permitted and acted upon, resulting in large, mostly unused memory allocations. This fix rejects such invalid zlib headers.

Fix bug that accepted invalid zlib header when windowBits is zero.
When windowBits is zero, the size of the sliding window comes from the zlib header. The allowed values of the four-bit field are 0..7, but when windowBits is zero, values greater than 7 are permitted and acted upon, resulting in large, mostly unused memory allocations. This fix rejects such invalid zlib headers.
6cef1de7 · Mark Adler · 8f1b3744 · 6cef1de7
隐藏空白更改
内联并排

Showing with 1 addition and 1 deletion

inflate.c inflate.c +1 -1

未找到文件。
--- a/inflate.c
+++ b/inflate.c
@@ -674,7 +674,7 @@ int flush;
            len = BITS(4) + 8;
            if (state->wbits == 0)
                state->wbits = len;
-            else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                strm->msg = (char *)"invalid window size";
                state->mode = BAD;
                break;