Don't use 'dmax' and 'sane' variables unless their checks have been c…

…ompiled in.
zlib-ng · Oct 8, 2024 · 39e9c86 · 39e9c86
1 parent 3297953
commit 39e9c86
Show file tree

Hide file tree

Showing 4 changed files with 32 additions and 18 deletions.
diff --git a/infback.c b/infback.c
@@ -53,14 +53,18 @@ int32_t ZNG_CONDEXPORT PREFIX(inflateBackInit)(PREFIX3(stream) *strm, int32_t wi
     Tracev((stderr, "inflate: allocated\n"));
 
     strm->state = (struct internal_state *)state;
-    state->dmax = 32768U;
     state->wbits = (unsigned int)windowBits;
     state->wsize = 1U << windowBits;
     state->window = window;
     state->wnext = 0;
     state->whave = 0;
-    state->sane = 1;
     state->chunksize = FUNCTABLE_CALL(chunksize)();
+#ifdef INFLATE_STRICT
+    state->dmax = 32768U;
+#endif
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+    state->sane = 1;
+#endif
     return Z_OK;
 }
 

diff --git a/inffast_tpl.h b/inffast_tpl.h
@@ -59,9 +59,6 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
     unsigned char *beg;         /* inflate()'s initial strm->next_out */
     unsigned char *end;         /* while out < end, enough space available */
     unsigned char *safe;        /* can use chunkcopy provided out < safe */
-#ifdef INFLATE_STRICT
-    unsigned dmax;              /* maximum distance from zlib header */
-#endif
     unsigned wsize;             /* window size or zero if not using window */
     unsigned whave;             /* valid bytes in the window */
     unsigned wnext;             /* window write index */
@@ -126,9 +123,6 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
     beg = out - (start - strm->avail_out);
     end = out + (strm->avail_out - (INFLATE_FAST_MIN_LEFT - 1));
     safe = out + strm->avail_out;
-#ifdef INFLATE_STRICT
-    dmax = state->dmax;
-#endif
     wsize = state->wsize;
     whave = state->whave;
     wnext = state->wnext;
@@ -193,7 +187,7 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
                 op &= MAX_BITS;                 /* number of extra bits */
                 dist += BITS(op);
 #ifdef INFLATE_STRICT
-                if (dist > dmax) {
+                if (dist > state->dmax) {
                     SET_BAD("invalid distance too far back");
                     break;
                 }
@@ -204,11 +198,11 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
                 if (dist > op) {                /* see if copy from window */
                     op = dist - op;             /* distance back in window */
                     if (op > whave) {
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
                         if (state->sane) {
                             SET_BAD("invalid distance too far back");
                             break;
                         }
-#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
                         if (len <= op - whave) {
                             do {
                                 *out++ = 0;
@@ -226,6 +220,9 @@ void Z_INTERNAL INFLATE_FAST(PREFIX3(stream) *strm, uint32_t start) {
                             } while (--len);
                             continue;
                         }
+#else
+                        SET_BAD("invalid distance too far back");
+                        break;
 #endif
                     }
                     from = window;

diff --git a/inflate.c b/inflate.c
@@ -73,13 +73,17 @@ int32_t Z_EXPORT PREFIX(inflateResetKeep)(PREFIX3(stream) *strm) {
     state->last = 0;
     state->havedict = 0;
     state->flags = -1;
-    state->dmax = 32768U;
     state->head = NULL;
     state->hold = 0;
     state->bits = 0;
     state->lencode = state->distcode = state->next = state->codes;
-    state->sane = 1;
     state->back = -1;
+#ifdef INFLATE_STRICT
+    state->dmax = 32768U;
+#endif
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+    state->sane = 1;
+#endif
     INFLATE_RESET_KEEP_HOOK(strm);  /* hook for IBM Z DFLTCC */
     Tracev((stderr, "inflate: reset\n"));
     return Z_OK;
@@ -539,7 +543,9 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                 SET_BAD("invalid window size");
                 break;
             }
+#ifdef INFLATE_STRICT
             state->dmax = 1U << len;
+#endif
             state->flags = 0;               /* indicate zlib header */
             Tracev((stderr, "inflate:   zlib header ok\n"));
             strm->adler = state->check = ADLER32_INITIAL_VALUE;
@@ -1049,11 +1055,11 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
             if (state->offset > copy) {         /* copy from window */
                 copy = state->offset - copy;
                 if (copy > state->whave) {
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
                     if (state->sane) {
                         SET_BAD("invalid distance too far back");
                         break;
                     }
-#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
                     Trace((stderr, "inflate.c too far\n"));
                     copy -= state->whave;
                     copy = MIN(copy, state->length);
@@ -1065,8 +1071,10 @@ int32_t Z_EXPORT PREFIX(inflate)(PREFIX3(stream) *strm, int32_t flush) {
                     } while (--copy);
                     if (state->length == 0)
                         state->mode = LEN;
-                    break;
+#else
+                    SET_BAD("invalid distance too far back");
 #endif
+                    break;
                 }
                 if (copy > state->wnext) {
                     copy -= state->wnext;
@@ -1404,17 +1412,17 @@ int32_t Z_EXPORT PREFIX(inflateCopy)(PREFIX3(stream) *dest, PREFIX3(stream) *sou
 }
 
 int32_t Z_EXPORT PREFIX(inflateUndermine)(PREFIX3(stream) *strm, int32_t subvert) {
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
     struct inflate_state *state;
 
     if (inflateStateCheck(strm))
         return Z_STREAM_ERROR;
     state = (struct inflate_state *)strm->state;
-#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
     state->sane = !subvert;
     return Z_OK;
 #else
+    Z_UNUSED(strm);
     Z_UNUSED(subvert);
-    state->sane = 1;
     return Z_DATA_ERROR;
 #endif
 }

diff --git a/inflate.h b/inflate.h
@@ -105,7 +105,6 @@ struct ALIGNED_(64) inflate_state {
     int havedict;               /* true if dictionary provided */
     int flags;                  /* gzip header method and flags, 0 if zlib, or
                                    -1 if raw or no header yet */
-    unsigned dmax;              /* zlib header max distance (INFLATE_STRICT) */
     unsigned long check;        /* protected copy of check value */
     unsigned long total;        /* protected copy of output count */
     PREFIX(gz_headerp) head;    /* where to save gzip header information */
@@ -145,11 +144,17 @@ struct ALIGNED_(64) inflate_state {
     uint16_t lens[320];         /* temporary storage for code lengths */
     uint16_t work[288];         /* work area for code table building */
     code codes[ENOUGH];         /* space for code tables */
-    int sane;                   /* if false, allow invalid distance too far */
     int back;                   /* bits back of last unprocessed length/lit */
     unsigned was;               /* initial length of match */
     uint32_t chunksize;         /* size of memory copying chunk */
     inflate_allocs *alloc_bufs; /* struct for handling memory allocations */
+
+#ifdef INFLATE_STRICT
+    unsigned dmax;              /* zlib header max distance (INFLATE_STRICT) */
+#endif
+#ifdef INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR
+    int sane;                   /* if false, allow invalid distance too far */
+#endif
 #ifdef HAVE_ARCH_INFLATE_STATE
     arch_inflate_state arch;    /* architecture-specific extensions */
 #endif