diff options
Diffstat (limited to 'meta/recipes-core/zlib/zlib/CVE-2022-37434.patch')
-rw-r--r-- | meta/recipes-core/zlib/zlib/CVE-2022-37434.patch | 44 |
1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch new file mode 100644 index 0000000000..d29e6e0f1f --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch | |||
@@ -0,0 +1,44 @@ | |||
1 | From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001 | ||
2 | From: Hitendra Prajapati <hprajapati@mvista.com> | ||
3 | Date: Wed, 17 Aug 2022 10:15:57 +0530 | ||
4 | Subject: [PATCH] CVE-2022-37434 | ||
5 | |||
6 | Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d] | ||
7 | CVE: CVE-2022-37434 | ||
8 | Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com> | ||
9 | |||
10 | Fix a bug when getting a gzip header extra field with inflate(). | ||
11 | |||
12 | If the extra field was larger than the space the user provided with | ||
13 | inflateGetHeader(), and if multiple calls of inflate() delivered | ||
14 | the extra header data, then there could be a buffer overflow of the | ||
15 | provided space. This commit assures that provided space is not | ||
16 | exceeded. | ||
17 | |||
18 | Fix extra field processing bug that dereferences NULL state->head. | ||
19 | |||
20 | The recent commit to fix a gzip header extra field processing bug | ||
21 | introduced the new bug fixed here. | ||
22 | --- | ||
23 | inflate.c | 5 +++-- | ||
24 | 1 file changed, 3 insertions(+), 2 deletions(-) | ||
25 | |||
26 | diff --git a/inflate.c b/inflate.c | ||
27 | index ac333e8..cd01857 100644 | ||
28 | --- a/inflate.c | ||
29 | +++ b/inflate.c | ||
30 | @@ -759,8 +759,9 @@ int flush; | ||
31 | if (copy > have) copy = have; | ||
32 | if (copy) { | ||
33 | if (state->head != Z_NULL && | ||
34 | - state->head->extra != Z_NULL) { | ||
35 | - len = state->head->extra_len - state->length; | ||
36 | + state->head->extra != Z_NULL && | ||
37 | + (len = state->head->extra_len - state->length) < | ||
38 | + state->head->extra_max) { | ||
39 | zmemcpy(state->head->extra + len, next, | ||
40 | len + copy > state->head->extra_max ? | ||
41 | state->head->extra_max - len : copy); | ||
42 | -- | ||
43 | 2.25.1 | ||
44 | |||