diff options
| -rw-r--r-- | lib/decompress_inflate.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/lib/decompress_inflate.c b/lib/decompress_inflate.c index b5fe1d1d5f05..19ff89e34eec 100644 --- a/lib/decompress_inflate.c +++ b/lib/decompress_inflate.c | |||
| @@ -98,13 +98,22 @@ STATIC int INIT gunzip(unsigned char *buf, int len, | |||
| 98 | * possible asciz filename) | 98 | * possible asciz filename) |
| 99 | */ | 99 | */ |
| 100 | strm->next_in = zbuf + 10; | 100 | strm->next_in = zbuf + 10; |
| 101 | strm->avail_in = len - 10; | ||
| 101 | /* skip over asciz filename */ | 102 | /* skip over asciz filename */ |
| 102 | if (zbuf[3] & 0x8) { | 103 | if (zbuf[3] & 0x8) { |
| 103 | while (strm->next_in[0]) | 104 | do { |
| 104 | strm->next_in++; | 105 | /* |
| 105 | strm->next_in++; | 106 | * If the filename doesn't fit into the buffer, |
| 107 | * the file is very probably corrupt. Don't try | ||
| 108 | * to read more data. | ||
| 109 | */ | ||
| 110 | if (strm->avail_in == 0) { | ||
| 111 | error("header error"); | ||
| 112 | goto gunzip_5; | ||
| 113 | } | ||
| 114 | --strm->avail_in; | ||
| 115 | } while (*strm->next_in++); | ||
| 106 | } | 116 | } |
| 107 | strm->avail_in = len - (strm->next_in - zbuf); | ||
| 108 | 117 | ||
| 109 | strm->next_out = out_buf; | 118 | strm->next_out = out_buf; |
| 110 | strm->avail_out = out_len; | 119 | strm->avail_out = out_len; |