1 files changed, 44 insertions, 0 deletions
diff --git a/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
new file mode 100644
index 0000000000..d29e6e0f1f
--- /dev/null
+++ b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
@@ -0,0 +1,44 @@
+From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001
+From: Hitendra Prajapati <hprajapati@mvista.com>
+Date: Wed, 17 Aug 2022 10:15:57 +0530
+Subject: [PATCH] CVE-2022-37434
+Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d]
+CVE: CVE-2022-37434
+Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
+Fix a bug when getting a gzip header extra field with inflate().
+If the extra field was larger than the space the user provided with
+inflateGetHeader(), and if multiple calls of inflate() delivered
+the extra header data, then there could be a buffer overflow of the
+provided space. This commit assures that provided space is not
+exceeded.
+ Fix extra field processing bug that dereferences NULL state->head.
+The recent commit to fix a gzip header extra field processing bug
+introduced the new bug fixed here.
+---
+ inflate.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+diff --git a/inflate.c b/inflate.c
+index ac333e8..cd01857 100644
+--- a/inflate.c
+++ b/inflate.c
+@@ -759,8 +759,9 @@ int flush;
+                 if (copy > have) copy = have;
+                 if (copy) {
+                     if (state->head != Z_NULL &&
+-                        state->head->extra != Z_NULL) {
+-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
+                         zmemcpy(state->head->extra + len, next,
+                                 len + copy > state->head->extra_max ?
+                                 state->head->extra_max - len : copy);
+-- 
+2.25.1

diff --git a/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch new file mode 100644 index 0000000000..d29e6e0f1f --- /dev/null +++ b/meta/recipes-core/zlib/zlib/CVE-2022-37434.patch
@@ -0,0 +1,44 @@
	1	From 8617d83d6939754ae3a04fc2d22daa18eeea2a43 Mon Sep 17 00:00:00 2001
	2	From: Hitendra Prajapati <hprajapati@mvista.com>
	3	Date: Wed, 17 Aug 2022 10:15:57 +0530
	4	Subject: [PATCH] CVE-2022-37434
	5
	6	Upstream-Status: Backport [https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 & https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d]
	7	CVE: CVE-2022-37434
	8	Signed-off-by: Hitendra Prajapati <hprajapati@mvista.com>
	9
	10	Fix a bug when getting a gzip header extra field with inflate().
	11
	12	If the extra field was larger than the space the user provided with
	13	inflateGetHeader(), and if multiple calls of inflate() delivered
	14	the extra header data, then there could be a buffer overflow of the
	15	provided space. This commit assures that provided space is not
	16	exceeded.
	17
	18	Fix extra field processing bug that dereferences NULL state->head.
	19
	20	The recent commit to fix a gzip header extra field processing bug
	21	introduced the new bug fixed here.
	22	---
	23	inflate.c \| 5 +++--
	24	1 file changed, 3 insertions(+), 2 deletions(-)
	25
	26	diff --git a/inflate.c b/inflate.c
	27	index ac333e8..cd01857 100644
	28	--- a/inflate.c
	29	+++ b/inflate.c
	30	@@ -759,8 +759,9 @@ int flush;
	31	if (copy > have) copy = have;
	32	if (copy) {
	33	if (state->head != Z_NULL &&
	34	- state->head->extra != Z_NULL) {
	35	- len = state->head->extra_len - state->length;
	36	+ state->head->extra != Z_NULL &&
	37	+ (len = state->head->extra_len - state->length) <
	38	+ state->head->extra_max) {
	39	zmemcpy(state->head->extra + len, next,
	40	len + copy > state->head->extra_max ?
	41	state->head->extra_max - len : copy);
	42	--
	43	2.25.1
	44