Skip to content

Commit

Permalink
CVE-2016-9841 (cloudflare#37)
Browse files Browse the repository at this point in the history 
Cherry-picked from: madler@9aaec95

This is (CVE-2016-9841)[GHSA-5f8r-846v-423w] fix.
  • Loading branch information
@azherebtsov
azherebtsov authored Feb 3, 2023
1 parent 8856740 commit b37f323
Showing 1 changed file with 31 additions and 50 deletions.
81 changes: 31 additions & 50 deletions inffast.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,25 +10,6 @@

#ifndef ASMINF

/* Allow machine dependent optimization for post-increment or pre-increment.
Based on testing to date,
Pre-increment preferred for:
- PowerPC G3 (Adler)
- MIPS R5000 (Randers-Pehrson)
Post-increment preferred for:
- none
No measurable difference:
- Pentium III (Anderson)
- M68060 (Nikl)
*/
#ifdef POSTINC
# define OFF 0
# define PUP(a) *(a)++
#else
# define OFF 1
# define PUP(a) *++(a)
#endif

/*
Decode literal, length, and distance codes and write out the resulting
literal and match bytes until either not enough input or output is
Expand Down Expand Up @@ -96,9 +77,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */

/* copy state to local variables */
state = (struct inflate_state FAR *)strm->state;
in = strm->next_in - OFF;
in = strm->next_in;
last = in + (strm->avail_in - (INFLATE_FAST_MIN_INPUT - 1));
out = strm->next_out - OFF;
out = strm->next_out;
beg = out - (start - strm->avail_out);
end = out + (strm->avail_out - (INFLATE_FAST_MIN_OUTPUT - 1));
#ifdef INFLATE_STRICT
Expand All @@ -119,9 +100,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
input data or output space */
do {
if (bits < 15) {
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
}
here = lcode[hold & lmask];
Expand All @@ -134,14 +115,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
Tracevv((stderr, here.val >= 0x20 && here.val < 0x7f ?
"inflate: literal '%c'\n" :
"inflate: literal 0x%02x\n", here.val));
PUP(out) = (unsigned char)(here.val);
*out++ = (unsigned char)(here.val);
}
else if (op & 16) { /* length base */
len = (unsigned)(here.val);
op &= 15; /* number of extra bits */
if (op) {
if (bits < op) {
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
}
len += (unsigned)hold & ((1U << op) - 1);
Expand All @@ -150,9 +131,9 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
}
Tracevv((stderr, "inflate: length %u\n", len));
if (bits < 15) {
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
}
here = dcode[hold & dmask];
Expand All @@ -165,10 +146,10 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
dist = (unsigned)(here.val);
op &= 15; /* number of extra bits */
if (bits < op) {
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
if (bits < op) {
hold += (unsigned long)(PUP(in)) << bits;
hold += (unsigned long)(*in++) << bits;
bits += 8;
}
}
Expand Down Expand Up @@ -196,30 +177,30 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
if (len <= op - whave) {
do {
PUP(out) = 0;
*out++ = 0;
} while (--len);
continue;
}
len -= op - whave;
do {
PUP(out) = 0;
*out++ = 0;
} while (--op > whave);
if (op == 0) {
from = out - dist;
do {
PUP(out) = PUP(from);
*out++ = *from++;
} while (--len);
continue;
}
#endif
}
from = window - OFF;
from = window;
if (wnext == 0) { /* very common case */
from += wsize - op;
if (op < len) { /* some from window */
len -= op;
do {
PUP(out) = PUP(from);
*out++ = *from++;
} while (--op);
from = out - dist; /* rest from output */
}
Expand All @@ -230,14 +211,14 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
if (op < len) { /* some from end of window */
len -= op;
do {
PUP(out) = PUP(from);
*out++ = *from++;
} while (--op);
from = window - OFF;
from = window;
if (wnext < len) { /* some from start of window */
op = wnext;
len -= op;
do {
PUP(out) = PUP(from);
*out++ = *from++;
} while (--op);
from = out - dist; /* rest from output */
}
Expand All @@ -248,35 +229,35 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
if (op < len) { /* some from window */
len -= op;
do {
PUP(out) = PUP(from);
*out++ = *from++;
} while (--op);
from = out - dist; /* rest from output */
}
}
while (len > 2) {
PUP(out) = PUP(from);
PUP(out) = PUP(from);
PUP(out) = PUP(from);
*out++ = *from++;
*out++ = *from++;
*out++ = *from++;
len -= 3;
}
if (len) {
PUP(out) = PUP(from);
*out++ = *from++;
if (len > 1)
PUP(out) = PUP(from);
*out++ = *from++;
}
}
else {
from = out - dist; /* copy direct from output */
do { /* minimum length is three */
PUP(out) = PUP(from);
PUP(out) = PUP(from);
PUP(out) = PUP(from);
*out++ = *from++;
*out++ = *from++;
*out++ = *from++;
len -= 3;
} while (len > 2);
if (len) {
PUP(out) = PUP(from);
*out++ = *from++;
if (len > 1)
PUP(out) = PUP(from);
*out++ = *from++;
}
}
}
Expand Down Expand Up @@ -313,8 +294,8 @@ unsigned start; /* inflate()'s starting value for strm->avail_out */
hold &= (1U << bits) - 1;

/* update state and return */
strm->next_in = in + OFF;
strm->next_out = out + OFF;
strm->next_in = in;
strm->next_out = out;
strm->avail_in = (unsigned)(in < last ?
(INFLATE_FAST_MIN_INPUT - 1) + (last - in) :
(INFLATE_FAST_MIN_INPUT - 1) - (in - last));
Expand Down

0 comments on commit b37f323

Please sign in to comment.