diff options
Diffstat (limited to 'zlib/inffast.c')
| -rw-r--r-- | zlib/inffast.c | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/zlib/inffast.c b/zlib/inffast.c index 8c02a178d04..bbee92ed1e6 100644 --- a/zlib/inffast.c +++ b/zlib/inffast.c @@ -74,6 +74,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ unsigned char FAR *out; /* local strm->next_out */ unsigned char FAR *beg; /* inflate()'s initial strm->next_out */ unsigned char FAR *end; /* while out < end, enough space available */ +#ifdef INFLATE_STRICT + unsigned dmax; /* maximum distance from zlib header */ +#endif unsigned wsize; /* window size or zero if not using window */ unsigned whave; /* valid bytes in the window */ unsigned write; /* window write index */ @@ -98,6 +101,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ out = strm->next_out - OFF; beg = out - (start - strm->avail_out); end = out + (strm->avail_out - 257); +#ifdef INFLATE_STRICT + dmax = state->dmax; +#endif wsize = state->wsize; whave = state->whave; write = state->write; @@ -167,6 +173,13 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */ } } dist += (unsigned)hold & ((1U << op) - 1); +#ifdef INFLATE_STRICT + if (dist > dmax) { + strm->msg = (char *)"invalid distance too far back"; + state->mode = BAD; + break; + } +#endif hold >>= op; bits -= op; Tracevv((stderr, "inflate: distance %u\n", dist)); |