zlib: Port fix for CVE-2016-9841 to U-Boot
The patch corresponds to zlib commit at
https://github.com/madler/zlib/commit/
9aaec95e82117c1cb0f9624264c3618fc380cecb
which declares that it is fixing CVE-2016-9841.
Here is c&p description from zlib:
"Use post-increment only in inffast.c.
An old inffast.c optimization turns out to not be optimal anymore
with modern compilers, and furthermore was not compliant with the
C standard, for which decrementing a pointer before its allocated
memory is undefined. Per the recommendation of a security audit of
the zlib code by Trail of Bits and TrustInSoft, in support of the
Mozilla Foundation, this "optimization" was removed, in order to
avoid the possibility of undefined behavior."
Origin patch also updates the code when
INFLATE_ALLOW_INVALID_DISTANCE_TOOFAR_ARRR is present but this code is not
the part of U-Boot hence it is ignored.
Also do not deal with state->sane variable which requires other changes
which are also not the part of zlib.
Commit
92faa8b10918 ("zlib: handle overflow while calculating available
stream input size") is kept in inffast.c too not to break described case.
Signed-off-by: Michal Simek <michal.simek@amd.com>
projects / u-boot.git / commit