From 4b58eee79d3af3647adb4c78938d83970e788975 Mon Sep 17 00:00:00 2001
From: Paul Eggert <eggert@trombone>
Date: Tue, 28 Jun 2022 22:30:08 -0500
Subject: [PATCH 1/2] gzip: detect invalid input

Problem reported by Young Mo Kang and fix from Mark Adler (Bug#56247).
* inflate.c: Include stdbool.h.
(fresh): New static var.
* inflate.c (flush_output): Clear it.
(inflate): Set it.
(inflate_codes): Fail if the offset is outside a fresh input window.
---
 inflate.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/inflate.c b/inflate.c
index 199a935..4fbb1be 100644
--- a/inflate.c
+++ b/inflate.c
@@ -117,6 +117,7 @@
 
 #include <config.h>
 
+#include <stdbool.h>
 #include <stdlib.h>
 
 #include "tailor.h"
@@ -153,8 +154,9 @@ static int huft_free (struct huft *);
    "uch *slide;" and then malloc'ed in the latter case.  The definition
    must be in unzip.h, included above. */
 /* unsigned wp;             current position in slide */
+static bool fresh;
 #define wp outcnt
-#define flush_output(w) (wp=(w),flush_window())
+#define flush_output(w) (fresh = false, wp = (w), flush_window ())
 
 /* Tables for deflate from PKZIP's appnote.txt. */
 static unsigned border[] = {    /* Order of the bit length code lengths */
@@ -582,6 +584,8 @@ inflate_codes(struct huft *tl, struct huft *td, int bl, int bd)
       NEEDBITS(e)
       d = w - t->v.n - ((unsigned)b & mask_bits[e]);
       DUMPBITS(e)
+      if (fresh && w <= d)
+	return 1;
       Tracevv ((stderr, "\\[%u,%u]", w - d, n));
 
       /* do the copy */
@@ -964,6 +968,7 @@ inflate(void)
   wp = 0;
   bk = 0;
   bb = 0;
+  fresh = true;
 
 
   /* decompress until the last block */
-- 
2.25.1