From 8304bdda5293ffd5b3efce8e4f54904b387029d6 Mon Sep 17 00:00:00 2001 From: Hans Wennborg Date: Wed, 23 Sep 2020 16:36:38 +0200 Subject: [PATCH] Avoid crashing in check_match when prev_match == -1 prev_match can be set to -1 after sliding the window. In that case, the window has slid past the first byte of the last match, which means it cannot be compared in check_match. This would cause zlib to crash on some inputs to deflate when built with ZLIB_DEBUG enabled. Check for this situation and avoid crashing by not trying to compare the first byte. Bug: 1113142 --- third_party/zlib/deflate.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c index cfdd2f46b230..d70732ec6fc2 100644 --- a/third_party/zlib/deflate.c +++ b/third_party/zlib/deflate.c @@ -2060,7 +2060,13 @@ local block_state deflate_slow(s, flush) uInt max_insert = s->strstart + s->lookahead - MIN_MATCH; /* Do not insert strings in hash table beyond this. */ - check_match(s, s->strstart-1, s->prev_match, s->prev_length); + if (s->prev_match == -1) { + /* The window has slid one byte past the previous match, + * so the first byte cannot be compared. */ + check_match(s, s->strstart, s->prev_match+1, s->prev_length-1); + } else { + check_match(s, s->strstart-1, s->prev_match, s->prev_length); + } _tr_tally_dist(s, s->strstart -1 - s->prev_match, s->prev_length - MIN_MATCH, bflush); -- 2.28.0.681.g6f77f65b4e-goog