Fix bug that accepted invalid zlib header when windowBits is zero.

When windowBits is zero, the size of the sliding window comes from
the zlib header.  The allowed values of the four-bit field are
0..7, but when windowBits is zero, values greater than 7 are
permitted and acted upon, resulting in large, mostly unused memory
allocations.  This fix rejects such invalid zlib headers.

diff --git a/inflate.c b/inflate.c
index 72e8438d7eb45e7037b86a65619d6f2dd8893af8..5a687a6973047a64885e2ac8b8de3a1a42b3942d 100644 (file)
--- a/inflate.c
+++ b/inflate.c
@@ -674,7 +674,7 @@ int flush;
             len = BITS(4) + 8;
             if (state->wbits == 0)
                 state->wbits = len;
-            else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;