From b553deaa40332aabf97b2a136c1d19c4890b4806 Mon Sep 17 00:00:00 2001 From: elaude Date: Mon, 22 Apr 2024 10:57:42 +0200 Subject: [PATCH] Fix error in decompressing RDS files that decompress to more than UINT_MAX bytes This was caused by truncating assignment of an 8 byte ssize_t to a 4 byte uInt. Fixed by doing saturating assignment instead. The surrounding decompression loop ensures that larger files can be decompressed (in chunks). --- src/rdata_read.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/src/rdata_read.c b/src/rdata_read.c index 0458332..9316a6a 100644 --- a/src/rdata_read.c +++ b/src/rdata_read.c @@ -241,6 +241,7 @@ static ssize_t read_st_compression(rdata_ctx_t *ctx, void *buffer, size_t len) { #if HAVE_ZLIB static ssize_t read_st_z(rdata_ctx_t *ctx, void *buffer, size_t len) { + const uInt max = (uInt)-1; ssize_t bytes_written = 0; int error = 0; int result = Z_OK; @@ -248,7 +249,10 @@ static ssize_t read_st_z(rdata_ctx_t *ctx, void *buffer, size_t len) { long start_out = ctx->z_strm->total_out; ctx->z_strm->next_out = (unsigned char *)buffer + bytes_written; - ctx->z_strm->avail_out = len - bytes_written; + if (ctx->z_strm->avail_out == 0) { + ssize_t left = len - bytes_written; + ctx->z_strm->avail_out = left > (ssize_t)max ? max : (uInt)left; + } result = inflate(ctx->z_strm, Z_SYNC_FLUSH);