1*86ee64e7SAndroid Build Coastguard WorkerFrom 8304bdda5293ffd5b3efce8e4f54904b387029d6 Mon Sep 17 00:00:00 2001 2*86ee64e7SAndroid Build Coastguard WorkerFrom: Hans Wennborg <[email protected]> 3*86ee64e7SAndroid Build Coastguard WorkerDate: Wed, 23 Sep 2020 16:36:38 +0200 4*86ee64e7SAndroid Build Coastguard WorkerSubject: [PATCH] Avoid crashing in check_match when prev_match == -1 5*86ee64e7SAndroid Build Coastguard Worker 6*86ee64e7SAndroid Build Coastguard Workerprev_match can be set to -1 after sliding the window. In that case, the 7*86ee64e7SAndroid Build Coastguard Workerwindow has slid past the first byte of the last match, which means it 8*86ee64e7SAndroid Build Coastguard Workercannot be compared in check_match. 9*86ee64e7SAndroid Build Coastguard Worker 10*86ee64e7SAndroid Build Coastguard WorkerThis would cause zlib to crash on some inputs to deflate when built 11*86ee64e7SAndroid Build Coastguard Workerwith ZLIB_DEBUG enabled. 12*86ee64e7SAndroid Build Coastguard Worker 13*86ee64e7SAndroid Build Coastguard WorkerCheck for this situation and avoid crashing by not trying to compare 14*86ee64e7SAndroid Build Coastguard Workerthe first byte. 15*86ee64e7SAndroid Build Coastguard Worker 16*86ee64e7SAndroid Build Coastguard WorkerBug: 1113142 17*86ee64e7SAndroid Build Coastguard Worker--- 18*86ee64e7SAndroid Build Coastguard Worker third_party/zlib/deflate.c | 8 +++++++- 19*86ee64e7SAndroid Build Coastguard Worker 1 file changed, 7 insertions(+), 1 deletion(-) 20*86ee64e7SAndroid Build Coastguard Worker 21*86ee64e7SAndroid Build Coastguard Workerdiff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c 22*86ee64e7SAndroid Build Coastguard Workerindex cfdd2f46b230..d70732ec6fc2 100644 23*86ee64e7SAndroid Build Coastguard Worker--- a/third_party/zlib/deflate.c 24*86ee64e7SAndroid Build Coastguard Worker+++ b/third_party/zlib/deflate.c 25*86ee64e7SAndroid Build Coastguard Worker@@ -2060,7 +2060,13 @@ local block_state deflate_slow(s, flush) 26*86ee64e7SAndroid Build Coastguard Worker uInt max_insert = s->strstart + s->lookahead - MIN_MATCH; 27*86ee64e7SAndroid Build Coastguard Worker /* Do not insert strings in hash table beyond this. */ 28*86ee64e7SAndroid Build Coastguard Worker 29*86ee64e7SAndroid Build Coastguard Worker- check_match(s, s->strstart-1, s->prev_match, s->prev_length); 30*86ee64e7SAndroid Build Coastguard Worker+ if (s->prev_match == -1) { 31*86ee64e7SAndroid Build Coastguard Worker+ /* The window has slid one byte past the previous match, 32*86ee64e7SAndroid Build Coastguard Worker+ * so the first byte cannot be compared. */ 33*86ee64e7SAndroid Build Coastguard Worker+ check_match(s, s->strstart, s->prev_match+1, s->prev_length-1); 34*86ee64e7SAndroid Build Coastguard Worker+ } else { 35*86ee64e7SAndroid Build Coastguard Worker+ check_match(s, s->strstart-1, s->prev_match, s->prev_length); 36*86ee64e7SAndroid Build Coastguard Worker+ } 37*86ee64e7SAndroid Build Coastguard Worker 38*86ee64e7SAndroid Build Coastguard Worker _tr_tally_dist(s, s->strstart -1 - s->prev_match, 39*86ee64e7SAndroid Build Coastguard Worker s->prev_length - MIN_MATCH, bflush); 40*86ee64e7SAndroid Build Coastguard Worker-- 41*86ee64e7SAndroid Build Coastguard Worker2.28.0.681.g6f77f65b4e-goog 42*86ee64e7SAndroid Build Coastguard Worker 43