From nobody Tue Aug 30 23:14:39 2022 X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4MHNRz3V2fz4bXVM; Tue, 30 Aug 2022 23:14:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4MHNRz2yNYz3mDd; Tue, 30 Aug 2022 23:14:39 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661901279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J0OXcxA2+E580Tc8IGQQKUdAJr8dMSUULX0b2Q3ofmU=; b=t+kAgwU5u4imfZkoHWqdIWT7xYBNHfuK432sA70ZCDtAyDMHRsnSfY2JFsj6grH1PslZZ8 xs+0H46v0MrrO6b3T/dUFcFulbfqPfeNgDSTnE8CntmAbacMZmYLBXlnb40MyeVKEAUkna ACJ1EMyceehYArzD4llHStJ/0HgOM/NV/2zaPHocO39s+jF3YsBAv4FfoWwRTrzxOA8hsd PoRHYw97atVagEFVca/y6BySsO6uO3UGdDx0QvE5ZzfJt6zl1w58TRopLTZ6RBTiL1JlgU SEMitzwJeyyYrfqru9UAZIu5UI1EyjuB4z/PXD2O5g3RNOUrrwAGZmSRl7aA2Q== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4MHNRz1w2SzwXM; Tue, 30 Aug 2022 23:14:39 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 27UNEdiB060648; Tue, 30 Aug 2022 23:14:39 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 27UNEd7G060647; Tue, 30 Aug 2022 23:14:39 GMT (envelope-from git) Date: Tue, 30 Aug 2022 23:14:39 GMT Message-Id: <202208302314.27UNEd7G060647@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Ed Maste Subject: git: 289231c9634a - releng/13.1 - zlib: Fix a bug when getting a gzip header extra field with inflate(). List-Id: Commits to the stable branches of the FreeBSD src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-dev-commits-src-branches@freebsd.org X-BeenThere: dev-commits-src-branches@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: emaste X-Git-Repository: src X-Git-Refname: refs/heads/releng/13.1 X-Git-Reftype: branch X-Git-Commit: 289231c9634adfc80b550b010847cb278fbd377f Auto-Submitted: auto-generated ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1661901279; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=J0OXcxA2+E580Tc8IGQQKUdAJr8dMSUULX0b2Q3ofmU=; b=FGimUIszrtgzxRqhKPzLksqnKNgmo53dAnUzI4fz0Kb+tkoyDcC+Y+Ed/ry7VOuxPSdfau /xo0pWZvPlEYICVZx0PP5nWA4tvx/U/kjD3BHoJmAe3g6SSctrYrSQoSx7iEqu1DWXE6Yf cSfTmmwnxeMW4huVUIDiNJkjZk6BaQymShXUOWNOEDXsOvzFSctnehjaPJr11m+awW+GdN PhzACjBK8pP/mIrMproJMnFnLZNLhATzO0kK6mu9EIzL3Qars00ZUVFRaC8y6cmOrxLeqU wNLJsh/BFm/lsiIcc7M8kTkrn5WJb/u2eXZYPoExPaNPfWU3CuWdu9uwXD9HjA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1661901279; a=rsa-sha256; cv=none; b=MflIISIl/ESZzji2A7SMuDx+qCvRW5Je9rrrSRezBVbSQrFZZ03imVSg5F/QRj6bJznG7M DRGA13+iPD8fDRKaqe6CmMMvfP8YghQ/3XsYvZ5NY7OVOpSzHW0RxoiyepDkFvhWTbsJCZ vg0G8IIP2OpPCTomfVdzfRC/R0PVnfQvXfv/d+IVJeXIeUwtRDfwoEgEUe/CIsO5cvStEN 8Wsf7gxsUxT4rugDolZMoviOTK7czjtE9WYCHpSj9SyVNdQSU6Gr+/x5GSIONni9tWsSOE ZCjB9qaXoyEbiZJljAH41KU/hy8zjJsiJQpNzzt7C1WIkFH60yhgQV0kGRClgQ== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N The branch releng/13.1 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=289231c9634adfc80b550b010847cb278fbd377f commit 289231c9634adfc80b550b010847cb278fbd377f Author: Mark Adler AuthorDate: 2022-07-30 22:51:11 +0000 Commit: Ed Maste CommitDate: 2022-08-30 23:02:48 +0000 zlib: Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. (cherry picked from zlib commit eff308af425b67093bab25f80f1ae950166bece1) (cherry picked from zlib commit 1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d) (cherry picked from commit dc3509f1aafcd966f3dd9226115cf94b691ff3c7) (cherry picked from commit 2969066f73fc67a614144ac09b9f3f5291937fed) (cherry picked from commit 10cc2bf5f7a592981ee00d22eb13e100beed1e64) Approved by: so Security: CVE-2022-37434 --- sys/contrib/zlib/inflate.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/sys/contrib/zlib/inflate.c b/sys/contrib/zlib/inflate.c index 499626d87a1c..d4b4a0978656 100644 --- a/sys/contrib/zlib/inflate.c +++ b/sys/contrib/zlib/inflate.c @@ -764,8 +764,9 @@ int flush; if (copy > have) copy = have; if (copy) { if (state->head != Z_NULL && - state->head->extra != Z_NULL) { - len = state->head->extra_len - state->length; + state->head->extra != Z_NULL && + (len = state->head->extra_len - state->length) < + state->head->extra_max) { zmemcpy(state->head->extra + len, next, len + copy > state->head->extra_max ? state->head->extra_max - len : copy);