Avoid overwriting bytes in scratch buffer

Fix code when src_offs was negativ. The existing copy-code overwrote bytes. This was causing problems decoding compressed data under very rare circumstances. This fix changed this by using the memmove() function instead.
ibm-genwqe · Aug 28, 2015 · de1be2a · de1be2a
1 parent 739bf3a
commit de1be2a
Showing 1 changed file with 13 additions and 15 deletions.
diff --git a/lib/inflate.c b/lib/inflate.c
@@ -111,14 +111,13 @@ static void extract_new_tree(zedc_streamp strm)
 			cnt = 0;
 	}
 
-	while (cnt--) {
+	/* NOTE: This is the same as in scratch_update() */
+	if (cnt) {
 		if (src_offs >= 0)
-			src = strm->next_in + src_offs;
-		else
-			src = strm->wsp->tree + strm->in_hdr_scratch_len +
-						src_offs;
-		*target++ = *src;
-		src_offs++;
+			src = (uint8_t*)strm->next_in;
+		else	src = strm->wsp->tree + strm->in_hdr_scratch_len;
+		src += src_offs;
+		memmove(target, src, cnt);
 	}
 
 	strm->tree_bits = strm->out_hdr_bits;
@@ -176,14 +175,13 @@ static void scratch_update(zedc_streamp strm)
 	strm->scratch_bits = cnt * 8 - (scratch_offs % 8);
 	strm->scratch_ib = scratch_offs % 8;
 
-	while (cnt--) {
-		if (src_offs < 0)
-			src = strm->wsp->tree +
-			      strm->in_hdr_scratch_len + src_offs;
-		else
-			src = strm->next_in + src_offs;
-		*target++ = *src;
-		src_offs++;
+	/* NOTE: This is the same as in extract_new_tree() */
+	if (cnt) {
+		if (src_offs >= 0)
+			src = strm->next_in;
+		else	src = strm->wsp->tree + strm->in_hdr_scratch_len;
+		src += src_offs;
+		memmove(target, src, cnt);
 	}
 }