From: Nigel Tao <nigeltao@golang.org>
Date: Thu, 24 Mar 2022 23:33:21 +0000 (+1100)
Subject: compress/zlib: tighten header CINFO check
X-Git-Tag: go1.19beta1~875
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=d1060d8e82a320725e961f2648e62034d7f768e4;p=gostls13.git

compress/zlib: tighten header CINFO check

RFC 1950 section 2.2 "Data format" says "CINFO (Compression info)... For
CM = 8... Values of CINFO above 7 are not allowed".

Change-Id: Ibbc1213125c7dc045f09901ee7746660e90b5fcd
Reviewed-on: https://go-review.googlesource.com/c/go/+/395734
Reviewed-by: Matthew Dempsky <mdempsky@google.com>
Trust: Nigel Tao <nigeltao@golang.org>
---

diff --git a/src/compress/zlib/reader.go b/src/compress/zlib/reader.go
index a195b380d8..343a18bf68 100644
--- a/src/compress/zlib/reader.go
+++ b/src/compress/zlib/reader.go
@@ -32,7 +32,10 @@ import (
 	"io"
 )
 
-const zlibDeflate = 8
+const (
+	zlibDeflate   = 8
+	zlibMaxWindow = 7
+)
 
 var (
 	// ErrChecksum is returned when reading ZLIB data that has an invalid checksum.
@@ -143,7 +146,7 @@ func (z *reader) Reset(r io.Reader, dict []byte) error {
 		return z.err
 	}
 	h := uint(z.scratch[0])<<8 | uint(z.scratch[1])
-	if (z.scratch[0]&0x0f != zlibDeflate) || (h%31 != 0) {
+	if (z.scratch[0]&0x0f != zlibDeflate) || (z.scratch[0]>>4 > zlibMaxWindow) || (h%31 != 0) {
 		z.err = ErrHeader
 		return z.err
 	}
diff --git a/src/compress/zlib/reader_test.go b/src/compress/zlib/reader_test.go
index 70e33babd1..20cec696ee 100644
--- a/src/compress/zlib/reader_test.go
+++ b/src/compress/zlib/reader_test.go
@@ -65,7 +65,14 @@ var zlibTests = []zlibTest{
 		nil,
 	},
 	{
-		"bad header",
+		"bad header (CINFO)",
+		"",
+		[]byte{0x88, 0x98, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01},
+		nil,
+		ErrHeader,
+	},
+	{
+		"bad header (FCHECK)",
 		"",
 		[]byte{0x78, 0x9f, 0x03, 0x00, 0x00, 0x00, 0x00, 0x01},
 		nil,