From: Fabian Keil <fk@fabiankeil.de>
Date: Mon, 8 Feb 2021 09:59:23 +0000 (+0100)
Subject: decompress_iob(): Don't advance cur past eod
X-Git-Tag: v_3_0_32~29
X-Git-Url: http://www.privoxy.org/gitweb/@default-cgi@/user-manual/@default-cgi@toggle?a=commitdiff_plain;h=ebf8e996becaa6488e2d1e6073db0d3da5971beb;p=privoxy.git

decompress_iob(): Don't advance cur past eod

... when looking for the end of the file name and comment.

I could not come up with a test case where the previous
behaviour resulted in reading of uninitialized data but
advancing past eod still seems wrong.
---

diff --git a/parsers.c b/parsers.c
index f905c92a..999c715e 100644
--- a/parsers.c
+++ b/parsers.c
@@ -634,14 +634,14 @@ jb_err decompress_iob(struct client_state *csp)
          if (flags & GZIP_FLAG_FILE_NAME)
          {
             /* A null-terminated string is supposed to follow. */
-            while (*cur++ && (cur < csp->iob->eod));
+            while ((cur < csp->iob->eod) && *cur++);
          }
 
          /* Skip the comment if necessary. */
          if (flags & GZIP_FLAG_COMMENT)
          {
             /* A null-terminated string is supposed to follow. */
-            while (*cur++ && (cur < csp->iob->eod));
+            while ((cur < csp->iob->eod) && *cur++);
          }
 
          /* Skip the CRC if necessary. */