Fix integer overflow in patch_delta()
[gitweb.git] / sha1_file.c
index 4cc8939e4b901c1eda75a71705021c749c9a48b0..63981fb3fd9cfa6cca4126eba5a964b449c62444 100644 (file)
@@ -1357,8 +1357,6 @@ unsigned long get_size_from_delta(struct packed_git *p,
                in = use_pack(p, w_curs, curpos, &stream.avail_in);
                stream.next_in = in;
                st = git_inflate(&stream, Z_FINISH);
-               if (st == Z_BUF_ERROR && (stream.avail_in || !stream.avail_out))
-                       break;
                curpos += stream.next_in - in;
        } while ((st == Z_OK || st == Z_BUF_ERROR) &&
                 stream.total_out < sizeof(delta_head));
@@ -1589,15 +1587,15 @@ static void *unpack_compressed_entry(struct packed_git *p,
        buffer[size] = 0;
        memset(&stream, 0, sizeof(stream));
        stream.next_out = buffer;
-       stream.avail_out = size;
+       stream.avail_out = size + 1;
 
        git_inflate_init(&stream);
        do {
                in = use_pack(p, w_curs, curpos, &stream.avail_in);
                stream.next_in = in;
                st = git_inflate(&stream, Z_FINISH);
-               if (st == Z_BUF_ERROR && (stream.avail_in || !stream.avail_out))
-                       break;
+               if (!stream.avail_out)
+                       break; /* the payload is larger than it should be */
                curpos += stream.next_in - in;
        } while (st == Z_OK || st == Z_BUF_ERROR);
        git_inflate_end(&stream);