From patchwork Thu Jun 15 14:54:34 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
X-Patchwork-Id: 1795485
X-Patchwork-Delegate: trini@ti.com
Return-Path: <u-boot-bounces@lists.denx.de>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.denx.de
 (client-ip=2a01:238:438b:c500:173d:9f52:ddab:ee01; helo=phobos.denx.de;
 envelope-from=u-boot-bounces@lists.denx.de; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=pass (2048-bit key;
 unprotected) header.d=foundries.io header.i=@foundries.io header.a=rsa-sha256
 header.s=google header.b=CSyLLo1n;
	dkim-atps=neutral
Received: from phobos.denx.de (phobos.denx.de
 [IPv6:2a01:238:438b:c500:173d:9f52:ddab:ee01])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384))
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Qhlh10XPPz20Wy
	for <incoming@patchwork.ozlabs.org>; Fri, 16 Jun 2023 00:54:57 +1000 (AEST)
Received: from h2850616.stratoserver.net (localhost [IPv6:::1])
	by phobos.denx.de (Postfix) with ESMTP id 42B6B8631D;
	Thu, 15 Jun 2023 16:54:52 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=foundries.io
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=u-boot-bounces@lists.denx.de
Authentication-Results: phobos.denx.de;
	dkim=pass (2048-bit key;
 unprotected) header.d=foundries.io header.i=@foundries.io
 header.b="CSyLLo1n";
	dkim-atps=neutral
Received: by phobos.denx.de (Postfix, from userid 109)
 id E8C218631F; Thu, 15 Jun 2023 16:54:50 +0200 (CEST)
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on phobos.denx.de
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS,
 T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.2
Received: from mail-wm1-x32e.google.com (mail-wm1-x32e.google.com
 [IPv6:2a00:1450:4864:20::32e])
 (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits))
 (No client certificate requested)
 by phobos.denx.de (Postfix) with ESMTPS id C8D34862AA
 for <u-boot@lists.denx.de>; Thu, 15 Jun 2023 16:54:47 +0200 (CEST)
Authentication-Results: phobos.denx.de;
 dmarc=none (p=none dis=none) header.from=foundries.io
Authentication-Results: phobos.denx.de;
 spf=pass smtp.mailfrom=oleksandr.suvorov@foundries.io
Received: by mail-wm1-x32e.google.com with SMTP id
 5b1f17b1804b1-3f7ebb2b82cso19538235e9.2
 for <u-boot@lists.denx.de>; Thu, 15 Jun 2023 07:54:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=foundries.io; s=google; t=1686840887; x=1689432887;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=ZlcZ/TvSHRdVMgcEyiYYvZoSkkmQihHQknCJfDU7dXU=;
 b=CSyLLo1nTyuw0pHvCEkGQmkL1dQmaKLnQuf6ADthH1ZO6Var7o0sF94pAH/ZHT+NUy
 EsEzQ71hHkuxv4Kig5gX6tASmoGYPtyRsLT8OgiFMGKTPYsbM/ald0MJgSO37xD0OTRg
 atIPxO04aVYHPpHw+tLhWMjJlQ/xG52NPAKD6031RUIPb31aLkZ1Qm1ePJYpDHASWb0G
 BihW+2SLV4fddKGko+F5loREzS56cFBCodVPydT4Jv6r9mZZB/zAELMa7zC6yzSbOZTK
 kDk3Ipkvgx2P1ePSqZxE3bsQYH0sZMGsXx69Sayap75DgWpWfG6JNHLykqf6CR1/J5AF
 bVnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20221208; t=1686840887; x=1689432887;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=ZlcZ/TvSHRdVMgcEyiYYvZoSkkmQihHQknCJfDU7dXU=;
 b=ERbykPOQJDOHGQhnfs26hT8AtIzb/1J9Y0AzyoM+yxKxnofc4kOq16HB98yzSbbv8B
 g2QXsfxHCysvG9SgIG9hQSsfhG/4GW4ATwZrgGx3C0BAe8l7K4FhrK9IRfQWgztMC9QN
 8cUbabeNzQaa9w1shRIuQaJrthkg9/GqE2GdaassqtTfPnM+AUrUrEFVwG6sgjs5zwZw
 7rfBz3/k+4hbB8UjqQsM77YfwqXG495cN5ENfPrdeC6YWEIeMVhop4knbzdoCLAfSjbd
 0uT0WPxrrWtcM99FZuqaFVUtFjhP1yauIjkZRjLrd5rHiWCj2e7ns/pA0OASS3P+Q8Co
 nTMw==
X-Gm-Message-State: AC+VfDyPc9oFK6n9Mzw6zdmejxbO2SeZJtBMOZ9f5XxzZfEFUBIOilO7
 Dum6u/M5ISm22SW9judHyAEgDP/Q9h0yajN/Qt8fvw==
X-Google-Smtp-Source: 
 ACHHUZ5Y3bCKlS9IjeXX4/fZEmVixhD/VdCyBxetYirrE2WP+nIselSwtBGxaL8AwojYk7/8Z1K8AQ==
X-Received: by 2002:adf:db03:0:b0:311:17c5:3a9a with SMTP id
 s3-20020adfdb03000000b0031117c53a9amr1286227wri.38.1686840886786;
 Thu, 15 Jun 2023 07:54:46 -0700 (PDT)
Received: from localhost.localdomain ([194.104.22.162])
 by smtp.gmail.com with ESMTPSA id
 b1-20020a5d5501000000b0030ae69920c9sm21323856wrv.53.2023.06.15.07.54.45
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Thu, 15 Jun 2023 07:54:46 -0700 (PDT)
From: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
To: u-boot@lists.denx.de
Cc: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
Subject: [PATCH] lib/zlib: Fix a bug when getting a gzip header extra field
Date: Thu, 15 Jun 2023 17:54:34 +0300
Message-Id: <20230615145434.103140-1-oleksandr.suvorov@foundries.io>
X-Mailer: git-send-email 2.40.1
MIME-Version: 1.0
X-BeenThere: u-boot@lists.denx.de
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: U-Boot discussion <u-boot.lists.denx.de>
List-Unsubscribe: <https://lists.denx.de/options/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=unsubscribe>
List-Archive: <https://lists.denx.de/pipermail/u-boot/>
List-Post: <mailto:u-boot@lists.denx.de>
List-Help: <mailto:u-boot-request@lists.denx.de?subject=help>
List-Subscribe: <https://lists.denx.de/listinfo/u-boot>,
 <mailto:u-boot-request@lists.denx.de?subject=subscribe>
Errors-To: u-boot-bounces@lists.denx.de
Sender: "U-Boot" <u-boot-bounces@lists.denx.de>
X-Virus-Scanned: clamav-milter 0.103.8 at phobos.denx.de
X-Virus-Status: Clean

This fixes CVE-2022-37434 [1] and bases on 2 commits from Mark
Adler's zlib master repo - the original fix of CVE bug [2] and
the fix for the fix [3].

[1]
https://github.com/advisories/GHSA-cfmr-vrgj-vqwv
[2]
https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1
[3]
https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d

Fixes: e89516f031d ("zlib: split up to match original source tree")
Signed-off-by: Oleksandr Suvorov <oleksandr.suvorov@foundries.io>
---

 lib/zlib/inflate.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/lib/zlib/inflate.c b/lib/zlib/inflate.c
index 30dfe155995..8f767b7b9d2 100644
--- a/lib/zlib/inflate.c
+++ b/lib/zlib/inflate.c
@@ -455,8 +455,9 @@ int ZEXPORT inflate(z_streamp strm, int flush)
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);