Commit b8dc2fdb92c350b786fe4cb27e9b841b794c1e86
2015-07-09T18:36:53
zstream: fail when asked to inflate garbage When we are provided some input buffer (with a length) to inflate, and it contains more data than simply the deflated data, fail. zlib will helpfully tell us when it is done reading (via Z_STREAM_END), so if there is data leftover in the input buffer, fail lest we continually try to inflate it.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
diff --git a/src/zstream.c b/src/zstream.c
index 6533449..d9ad4ca 100644
--- a/src/zstream.c
+++ b/src/zstream.c
@@ -86,6 +86,11 @@ int git_zstream_get_output(void *out, size_t *out_len, git_zstream *zstream)
int zflush = Z_FINISH;
size_t out_remain = *out_len;
+ if (zstream->in_len && zstream->zerr == Z_STREAM_END) {
+ giterr_set(GITERR_ZLIB, "zlib input had trailing garbage");
+ return -1;
+ }
+
while (out_remain > 0 && zstream->zerr != Z_STREAM_END) {
size_t out_queued, in_queued, out_used, in_used;
diff --git a/tests/core/zstream.c b/tests/core/zstream.c
index b13429b..961904e 100644
--- a/tests/core/zstream.c
+++ b/tests/core/zstream.c
@@ -58,6 +58,25 @@ void test_core_zstream__basic(void)
assert_zlib_equal(data, strlen(data) + 1, out, outlen);
}
+void test_core_zstream__fails_on_trailing_garbage(void)
+{
+ git_buf deflated = GIT_BUF_INIT, inflated = GIT_BUF_INIT;
+ size_t i = 0;
+
+ /* compress a simple string */
+ git_zstream_deflatebuf(&deflated, "foobar!!", 8);
+
+ /* append some garbage */
+ for (i = 0; i < 10; i++) {
+ git_buf_putc(&deflated, i);
+ }
+
+ cl_git_fail(git_zstream_inflatebuf(&inflated, deflated.ptr, deflated.size));
+
+ git_buf_free(&deflated);
+ git_buf_free(&inflated);
+}
+
void test_core_zstream__buffer(void)
{
git_buf out = GIT_BUF_INIT;