Port zlib fix for CVE-2016-9840:

Commit ref: 6a043145ca Additionally updated lext table to one used in zlib v1.2.11. close #2314
2025-07-31 05:17:26 +02:00 · 2021-09-17 11:33:54 +02:00
parent b16005a456
commit 3fd090af3b
2 changed files with 10 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -1,5 +1,6 @@
 Version XXX:

+* Fix CVE-2016-9840 in zlib implementation.
 * Fix TLS SNI handling in websocket_client_async_ssl example.
 * Fix reuse of sliding window in WebSocket permessage_deflate.
 * Fix accept error handling in http_server_async example.
--- a/include/boost/beast/zlib/detail/inflate_stream.ipp
+++ b/include/boost/beast/zlib/detail/inflate_stream.ipp
@ -572,7 +572,7 @@ inflate_table(
    code *next;                     // next available space in table
    std::uint16_t const* base;      // base value table to use
    std::uint16_t const* extra;     // extra bits table to use
-    int end;                        // use base and extra for symbol > end
+    unsigned match;                 // use base and extra for symbol >= match
    std::uint16_t count[15+1];      // number of codes of each length
    std::uint16_t offs[15+1];       // offsets in table for each length

@ -584,7 +584,7 @@ inflate_table(
    // Length codes 257..285 extra
    static std::uint16_t constexpr lext[31] = {
        16, 16, 16, 16, 16, 16, 16, 16, 17, 17, 17, 17, 18, 18, 18, 18,
-        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 72, 78};
+        19, 19, 19, 19, 20, 20, 20, 20, 21, 21, 21, 21, 16, 77, 202};

    // Distance codes 0..29 base
    static std::uint16_t constexpr dbase[32] = {
@ -722,19 +722,17 @@ inflate_table(
    {
    case build::codes:
        base = extra = work;    /* dummy value--not used */
-        end = 19;
+        match = 20;
        break;
    case build::lens:
        base = lbase;
-        base -= 257;
        extra = lext;
-        extra -= 257;
-        end = 256;
+        match = 257;
        break;
    default:            /* build::dists */
        base = dbase;
        extra = dext;
-        end = -1;
+        match = 0;
    }

    /* initialize state for loop */
@ -764,15 +762,15 @@ inflate_table(
    {
        /* create table entry */
        here.bits = (std::uint8_t)(len - drop);
-        if ((int)(work[sym]) < end)
+        if (work[sym] + 1U < match)
        {
            here.op = (std::uint8_t)0;
            here.val = work[sym];
        }
-        else if ((int)(work[sym]) > end)
+        else if (work[sym] >= match)
        {
-            here.op = (std::uint8_t)(extra[work[sym]]);
-            here.val = base[work[sym]];
+            here.op = (std::uint8_t)(extra[work[sym] - match]);
+            here.val = base[work[sym] - match];
        }
        else
        {