check zlib space to be within buffer #39

diff --git a/zzip/memdisk.c b/zzip/memdisk.c
index 3de201c41f6c66615195e879d2b890a6a6d00cce..8d5743d797286f25811e13724a7a7850e2cfb8ee 100644 (file)
--- a/zzip/memdisk.c
+++ b/zzip/memdisk.c
@@ -521,11 +521,20 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir, ZZIP_MEM_ENTRY * entry)
     file->zlib.avail_in = zzip_mem_entry_csize(entry);
     file->zlib.next_in = zzip_mem_entry_to_data(entry);
 
+    debug2("compressed size %i", (int) file->zlib.avail_in);
+    if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
+         goto error;
+    if (file->zlib.next_in < file->buffer)
+         goto error;
+
     if (! zzip_mem_entry_data_deflated(entry) ||
         inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
         { free (file); return 0; }
 
     return file;
+error:
+    errno = EBADMSG;
+    return NULL;
 }
 
 /** => zzip_mem_entry_open

diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index 920c4df563c8a5336db309929fe8522e712f12d3..8af18f430705f0672bf374179574530323cf126b 100644 (file)
--- a/zzip/mmapped.c
+++ b/zzip/mmapped.c
@@ -654,6 +654,8 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
     DBG2("compressed size %i", (int) file->zlib.avail_in);
     if (file->zlib.next_in + file->zlib.avail_in >= disk->endbuf)
          goto error;
+    if (file->zlib.next_in < disk->buffer)
+         goto error;
 
     if (! zzip_file_header_data_deflated(header))
         goto error;