From 99ebcb36d6ce86126da246abc53beba5b48ac33d Mon Sep 17 00:00:00 2001 From: tb Date: Fri, 6 Mar 2026 05:31:58 +0000 Subject: [PATCH] inflateCopy: fix a heap info leak (part of ZLB-01-003) commit 3509ab515f29002f64455d6e34e19df0c16b1707 Author: Mark Adler Date: Sun Dec 21 18:34:14 2025 -0800 Copy only the initialized window contents in inflateCopy. To avoid the propagation and possible disclosure of uninitialized memory contents. --- lib/libz/inflate.c | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/lib/libz/inflate.c b/lib/libz/inflate.c index c4f80cfa06c..36f2c8c3257 100644 --- a/lib/libz/inflate.c +++ b/lib/libz/inflate.c @@ -1527,7 +1527,6 @@ int ZEXPORT inflateCopy(z_streamp dest, z_streamp source) { struct inflate_state FAR *state; struct inflate_state FAR *copy; unsigned char FAR *window; - unsigned wsize; /* check input */ if (inflateStateCheck(source) || dest == Z_NULL) @@ -1558,10 +1557,8 @@ int ZEXPORT inflateCopy(z_streamp dest, z_streamp source) { copy->distcode = copy->codes + (state->distcode - state->codes); } copy->next = copy->codes + (state->next - state->codes); - if (window != Z_NULL) { - wsize = 1U << state->wbits; - zmemcpy(window, state->window, wsize); - } + if (window != Z_NULL) + zmemcpy(window, state->window, state->whave); copy->window = window; dest->state = (struct internal_state FAR *)copy; return Z_OK;