Report a potential bug in inflateSync() - Githubissues

madler / zlib

A massively spiffy yet delicately unobtrusive compression library.

http://zlib.net/

Other

5.46k stars 2.41k forks source link

Report a potential bug in inflateSync() #947

Closed x2018 closed 4 months ago

x2018 commented 4 months ago

In inflateSync(), the size of variable buf on stack is four bytes. However, there is no upper check for state->bits at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1385 or for len at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1393. As a result, the access at https://github.com/madler/zlib/blob/5c42a230b7b468dff011f444161c0145b5efae59/inflate.c#L1394 may overflow the stack variable.

madler commented 4 months ago

state->bits is an internal variable in inflate, and can never be more than 24.