1From 8304bdda5293ffd5b3efce8e4f54904b387029d6 Mon Sep 17 00:00:00 2001 2From: Hans Wennborg <hans@chromium.org> 3Date: Wed, 23 Sep 2020 16:36:38 +0200 4Subject: [PATCH] Avoid crashing in check_match when prev_match == -1 5 6prev_match can be set to -1 after sliding the window. In that case, the 7window has slid past the first byte of the last match, which means it 8cannot be compared in check_match. 9 10This would cause zlib to crash on some inputs to deflate when built 11with ZLIB_DEBUG enabled. 12 13Check for this situation and avoid crashing by not trying to compare 14the first byte. 15 16Bug: 1113142 17--- 18 third_party/zlib/deflate.c | 8 +++++++- 19 1 file changed, 7 insertions(+), 1 deletion(-) 20 21diff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c 22index cfdd2f46b230..d70732ec6fc2 100644 23--- a/third_party/zlib/deflate.c 24+++ b/third_party/zlib/deflate.c 25@@ -2060,7 +2060,13 @@ local block_state deflate_slow(s, flush) 26 uInt max_insert = s->strstart + s->lookahead - MIN_MATCH; 27 /* Do not insert strings in hash table beyond this. */ 28 29- check_match(s, s->strstart-1, s->prev_match, s->prev_length); 30+ if (s->prev_match == -1) { 31+ /* The window has slid one byte past the previous match, 32+ * so the first byte cannot be compared. */ 33+ check_match(s, s->strstart, s->prev_match+1, s->prev_length-1); 34+ } else { 35+ check_match(s, s->strstart-1, s->prev_match, s->prev_length); 36+ } 37 38 _tr_tally_dist(s, s->strstart -1 - s->prev_match, 39 s->prev_length - MIN_MATCH, bflush); 40-- 412.28.0.681.g6f77f65b4e-goog 42 43