commit f6a55b4019ef1be061bac7e315541d2389a7bd1d
from: Stefan Sperling <stsp@stsp.name>
via: Thomas Adam <thomas@xteddy.org>
date: Sat Feb 12 17:22:05 2022 UTC

fix infinite loop in got-index-pack for pack files >= 4GB in size

Because of a missing range check our zlib wrapper would end up
calling zlib over and over with zero bytes of input.

Problem reported by semarie and naddy.
Fixed with help from millert@.

ok millert naddy

commit - 17431c138a938066f1f24d60a05fcbc2934b2dfc
commit + f6a55b4019ef1be061bac7e315541d2389a7bd1d
blob - f168c15f62298372588b4cc748d77f427ff55a5f
blob + 8a4452f74e19fbe55d28a95e4c184b9873ff920c
--- lib/deflate.c
+++ lib/deflate.c
@@ -151,7 +151,10 @@ got_deflate_read_mmap(struct got_deflate_buf *zb, uint
 		size_t last_total_in = z->total_in;
 		if (z->avail_in == 0) {
 			z->next_in = map + offset + *consumed;
-			z->avail_in = len - *consumed;
+			if (len - *consumed > UINT_MAX)
+				z->avail_in = UINT_MAX;
+			else
+				z->avail_in = len - *consumed;
 			if (z->avail_in == 0) {
 				/* EOF */
 				ret = deflate(z, Z_FINISH);
blob - e06000919c0eb2435e2df718350bdbabf0eae9e4
blob + 833d2e05dfe063a461c46a6fa502c2f1144ba185
--- lib/inflate.c
+++ lib/inflate.c
@@ -247,7 +247,10 @@ got_inflate_read_mmap(struct got_inflate_buf *zb, uint
 				break;
 			}
 			z->next_in = map + offset + *consumed;
-			z->avail_in = len - *consumed;
+			if (len - *consumed > UINT_MAX)
+				z->avail_in = UINT_MAX;
+			else
+				z->avail_in = len - *consumed;
 		}
 		if (zb->csum) {
 			csum_in = z->next_in;