From 9709958d84945821927db9e5e8daa8e071e0df9a Mon Sep 17 00:00:00 2001 From: Alex Kocharin Date: Thu, 9 Jun 2022 16:47:38 +0300 Subject: [PATCH] Do a more thorough check of the state for every stream call. https://github.com/madler/zlib/commit/b516b4bdd7c0c9f0858adfebf732089014f7b282 --- lib/zlib/deflate.js | 47 ++++++++++++++-------- lib/zlib/inffast.js | 4 +- lib/zlib/inflate.js | 97 ++++++++++++++++++++++++++------------------- 3 files changed, 89 insertions(+), 59 deletions(-) diff --git a/lib/zlib/deflate.js b/lib/zlib/deflate.js index 856be4f..2fca402 100644 --- a/lib/zlib/deflate.js +++ b/lib/zlib/deflate.js @@ -1258,9 +1258,31 @@ function DeflateState() { } +/* ========================================================================= + * Check for a valid deflate stream state. Return 0 if ok, 1 if not. + */ +const deflateStateCheck = (strm) => { + + if (!strm) { + return 1; + } + const s = strm.state; + if (!s || s.strm !== strm || (s.status !== INIT_STATE && + s.status !== EXTRA_STATE && + s.status !== NAME_STATE && + s.status !== COMMENT_STATE && + s.status !== HCRC_STATE && + s.status !== BUSY_STATE && + s.status !== FINISH_STATE)) { + return 1; + } + return 0; +}; + + const deflateResetKeep = (strm) => { - if (!strm || !strm.state) { + if (deflateStateCheck(strm)) { return err(strm, Z_STREAM_ERROR); } @@ -1298,8 +1320,9 @@ const deflateReset = (strm) => { const deflateSetHeader = (strm, head) => { - if (!strm || !strm.state) { return Z_STREAM_ERROR; } - if (strm.state.wrap !== 2) { return Z_STREAM_ERROR; } + if (deflateStateCheck(strm) || strm.state.wrap !== 2) { + return Z_STREAM_ERROR; + } strm.state.gzhead = head; return Z_OK; }; @@ -1343,6 +1366,7 @@ const deflateInit2 = (strm, level, method, windowBits, memLevel, strategy) => { strm.state = s; s.strm = strm; + s.status = INIT_STATE; /* to pass state test in deflateReset() */ s.wrap = wrap; s.gzhead = null; @@ -1394,8 +1418,7 @@ const deflate = (strm, flush) => { let beg, val; // for gzip header write only - if (!strm || !strm.state || - flush > Z_BLOCK || flush < 0) { + if (deflateStateCheck(strm) || flush > Z_BLOCK || flush < 0) { return strm ? err(strm, Z_STREAM_ERROR) : Z_STREAM_ERROR; } @@ -1727,21 +1750,11 @@ const deflate = (strm, flush) => { const deflateEnd = (strm) => { - if (!strm/*== Z_NULL*/ || !strm.state/*== Z_NULL*/) { + if (deflateStateCheck(strm)) { return Z_STREAM_ERROR; } const status = strm.state.status; - if (status !== INIT_STATE && - status !== EXTRA_STATE && - status !== NAME_STATE && - status !== COMMENT_STATE && - status !== HCRC_STATE && - status !== BUSY_STATE && - status !== FINISH_STATE - ) { - return err(strm, Z_STREAM_ERROR); - } strm.state = null; @@ -1757,7 +1770,7 @@ const deflateSetDictionary = (strm, dictionary) => { let dictLength = dictionary.length; - if (!strm/*== Z_NULL*/ || !strm.state/*== Z_NULL*/) { + if (deflateStateCheck(strm)) { return Z_STREAM_ERROR; } diff --git a/lib/zlib/inffast.js b/lib/zlib/inffast.js index 44e5497..f4d6e7e 100644 --- a/lib/zlib/inffast.js +++ b/lib/zlib/inffast.js @@ -20,8 +20,8 @@ // 3. This notice may not be removed or altered from any source distribution. // See state defs from inflate.js -const BAD = 30; /* got a data error -- remain here until reset */ -const TYPE = 12; /* i: waiting for type bits, including last-flag bit */ +const BAD = 16209; /* got a data error -- remain here until reset */ +const TYPE = 16191; /* i: waiting for type bits, including last-flag bit */ /* Decode literal, length, and distance codes and write out the resulting diff --git a/lib/zlib/inflate.js b/lib/zlib/inflate.js index 1989231..d5639fc 100644 --- a/lib/zlib/inflate.js +++ b/lib/zlib/inflate.js @@ -42,38 +42,38 @@ const { /* ===========================================================================*/ -const HEAD = 1; /* i: waiting for magic header */ -const FLAGS = 2; /* i: waiting for method and flags (gzip) */ -const TIME = 3; /* i: waiting for modification time (gzip) */ -const OS = 4; /* i: waiting for extra flags and operating system (gzip) */ -const EXLEN = 5; /* i: waiting for extra length (gzip) */ -const EXTRA = 6; /* i: waiting for extra bytes (gzip) */ -const NAME = 7; /* i: waiting for end of file name (gzip) */ -const COMMENT = 8; /* i: waiting for end of comment (gzip) */ -const HCRC = 9; /* i: waiting for header crc (gzip) */ -const DICTID = 10; /* i: waiting for dictionary check value */ -const DICT = 11; /* waiting for inflateSetDictionary() call */ -const TYPE = 12; /* i: waiting for type bits, including last-flag bit */ -const TYPEDO = 13; /* i: same, but skip check to exit inflate on new block */ -const STORED = 14; /* i: waiting for stored size (length and complement) */ -const COPY_ = 15; /* i/o: same as COPY below, but only first time in */ -const COPY = 16; /* i/o: waiting for input or output to copy stored block */ -const TABLE = 17; /* i: waiting for dynamic block table lengths */ -const LENLENS = 18; /* i: waiting for code length code lengths */ -const CODELENS = 19; /* i: waiting for length/lit and distance code lengths */ -const LEN_ = 20; /* i: same as LEN below, but only first time in */ -const LEN = 21; /* i: waiting for length/lit/eob code */ -const LENEXT = 22; /* i: waiting for length extra bits */ -const DIST = 23; /* i: waiting for distance code */ -const DISTEXT = 24; /* i: waiting for distance extra bits */ -const MATCH = 25; /* o: waiting for output space to copy string */ -const LIT = 26; /* o: waiting for output space to write literal */ -const CHECK = 27; /* i: waiting for 32-bit check value */ -const LENGTH = 28; /* i: waiting for 32-bit length (gzip) */ -const DONE = 29; /* finished check, done -- remain here until reset */ -const BAD = 30; /* got a data error -- remain here until reset */ -const MEM = 31; /* got an inflate() memory error -- remain here until reset */ -const SYNC = 32; /* looking for synchronization bytes to restart inflate() */ +const HEAD = 16180; /* i: waiting for magic header */ +const FLAGS = 16181; /* i: waiting for method and flags (gzip) */ +const TIME = 16182; /* i: waiting for modification time (gzip) */ +const OS = 16183; /* i: waiting for extra flags and operating system (gzip) */ +const EXLEN = 16184; /* i: waiting for extra length (gzip) */ +const EXTRA = 16185; /* i: waiting for extra bytes (gzip) */ +const NAME = 16186; /* i: waiting for end of file name (gzip) */ +const COMMENT = 16187; /* i: waiting for end of comment (gzip) */ +const HCRC = 16188; /* i: waiting for header crc (gzip) */ +const DICTID = 16189; /* i: waiting for dictionary check value */ +const DICT = 16190; /* waiting for inflateSetDictionary() call */ +const TYPE = 16191; /* i: waiting for type bits, including last-flag bit */ +const TYPEDO = 16192; /* i: same, but skip check to exit inflate on new block */ +const STORED = 16193; /* i: waiting for stored size (length and complement) */ +const COPY_ = 16194; /* i/o: same as COPY below, but only first time in */ +const COPY = 16195; /* i/o: waiting for input or output to copy stored block */ +const TABLE = 16196; /* i: waiting for dynamic block table lengths */ +const LENLENS = 16197; /* i: waiting for code length code lengths */ +const CODELENS = 16198; /* i: waiting for length/lit and distance code lengths */ +const LEN_ = 16199; /* i: same as LEN below, but only first time in */ +const LEN = 16200; /* i: waiting for length/lit/eob code */ +const LENEXT = 16201; /* i: waiting for length extra bits */ +const DIST = 16202; /* i: waiting for distance code */ +const DISTEXT = 16203; /* i: waiting for distance extra bits */ +const MATCH = 16204; /* o: waiting for output space to copy string */ +const LIT = 16205; /* o: waiting for output space to write literal */ +const CHECK = 16206; /* i: waiting for 32-bit check value */ +const LENGTH = 16207; /* i: waiting for 32-bit length (gzip) */ +const DONE = 16208; /* finished check, done -- remain here until reset */ +const BAD = 16209; /* got a data error -- remain here until reset */ +const MEM = 16210; /* got an inflate() memory error -- remain here until reset */ +const SYNC = 16211; /* looking for synchronization bytes to restart inflate() */ /* ===========================================================================*/ @@ -98,7 +98,8 @@ const zswap32 = (q) => { function InflateState() { - this.mode = 0; /* current inflate mode */ + this.strm = null; /* pointer back to this zlib stream */ + this.mode = 0; /* current inflate mode */ this.last = false; /* true if processing last block */ this.wrap = 0; /* bit 0 true for zlib, bit 1 true for gzip, bit 2 true to validate check value */ @@ -157,9 +158,23 @@ function InflateState() { } +const inflateStateCheck = (strm) => { + + if (!strm) { + return 1; + } + const state = strm.state; + if (!state || state.strm !== strm || + state.mode < HEAD || state.mode > SYNC) { + return 1; + } + return 0; +}; + + const inflateResetKeep = (strm) => { - if (!strm || !strm.state) { return Z_STREAM_ERROR; } + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } const state = strm.state; strm.total_in = strm.total_out = state.total = 0; strm.msg = ''; /*Z_NULL*/ @@ -186,7 +201,7 @@ const inflateResetKeep = (strm) => { const inflateReset = (strm) => { - if (!strm || !strm.state) { return Z_STREAM_ERROR; } + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } const state = strm.state; state.wsize = 0; state.whave = 0; @@ -200,7 +215,7 @@ const inflateReset2 = (strm, windowBits) => { let wrap; /* get the state */ - if (!strm || !strm.state) { return Z_STREAM_ERROR; } + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } const state = strm.state; /* extract wrap request from windowBits parameter */ @@ -240,7 +255,9 @@ const inflateInit2 = (strm, windowBits) => { //if (state === Z_NULL) return Z_MEM_ERROR; //Tracev((stderr, "inflate: allocated\n")); strm.state = state; + state.strm = strm; state.window = null/*Z_NULL*/; + state.mode = HEAD; /* to pass state test in inflateReset2() */ const ret = inflateReset2(strm, windowBits); if (ret !== Z_OK) { strm.state = null/*Z_NULL*/; @@ -389,7 +406,7 @@ const inflate = (strm, flush) => { new Uint8Array([ 16, 17, 18, 0, 8, 7, 9, 6, 10, 5, 11, 4, 12, 3, 13, 2, 14, 1, 15 ]); - if (!strm || !strm.state || !strm.output || + if (inflateStateCheck(strm) || !strm.output || (!strm.input && strm.avail_in !== 0)) { return Z_STREAM_ERROR; } @@ -1465,7 +1482,7 @@ const inflate = (strm, flush) => { const inflateEnd = (strm) => { - if (!strm || !strm.state /*|| strm->zfree == (free_func)0*/) { + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } @@ -1481,7 +1498,7 @@ const inflateEnd = (strm) => { const inflateGetHeader = (strm, head) => { /* check state */ - if (!strm || !strm.state) { return Z_STREAM_ERROR; } + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } const state = strm.state; if ((state.wrap & 2) === 0) { return Z_STREAM_ERROR; } @@ -1500,7 +1517,7 @@ const inflateSetDictionary = (strm, dictionary) => { let ret; /* check state */ - if (!strm /* == Z_NULL */ || !strm.state /* == Z_NULL */) { return Z_STREAM_ERROR; } + if (inflateStateCheck(strm)) { return Z_STREAM_ERROR; } state = strm.state; if (state.wrap !== 0 && state.mode !== DICT) {