Project

General

Profile

Actions
Copy link

Bug #14917

closed

zlib: Fix a bug when getting a gzip header extra field with inflate().

Added by Toomas Soome 10 months ago. Updated 10 months ago.

Status:
Closed
Priority:
High
Assignee:
Toomas Soome
Category:
kernel
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
2312
External Bug:

Description

https://nvd.nist.gov/vuln/detail/CVE-2022-37434

This issue does consist of two patches:

zlib: Fix a bug when getting a gzip header extra field with inflate().

If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded.

zlib: Fix extra field processing bug that dereferences NULL state->head.

The recent commit to fix a gzip header extra field processing bug introduced the new bug fixed here.

Testing done: build/install/boot
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

Actions
Copy link
 #1

Updated by Electric Monk 10 months ago

  • Gerrit CR set to 2312
Actions
Copy link
 #2

Updated by Toomas Soome 10 months ago

  • Description updated (diff)
Actions
Copy link
 #3

Updated by Electric Monk 10 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

git commit 2e401babeb53295c8df347e32364beadc0ed1620

commit  2e401babeb53295c8df347e32364beadc0ed1620
Author: Mark Adler <fork@madler.net>
Date:   2022-08-19T22:15:13.000Z

    14917 zlib: Fix a bug when getting a gzip header extra field with inflate().
    Reviewed-by: Toomas Soome <tsoome@me.com>
    Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com>
    Approved by: Dan McDonald <danmcd@mnx.io>

Actions
Copy link

Also available in: Atom PDF