Closed x2018 closed 4 months ago
In inflateSync(), the size of variable buf on stack is four bytes. However, there is no upper check for state->bits at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1385 or for len at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1393. As a result, the access at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1394 may overflow the stack variable.
buf
state->bits
len
state->bits is an internal variable in inflate, and can never be more than 24.
In inflateSync(), the size of variable
buf
on stack is four bytes. However, there is no upper check forstate->bits
at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1385 or forlen
at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1393. As a result, the access at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1394 may overflow the stack variable.