From 9e9b99af9c7970e43a3caa602c3fc69f5b4c7e54 Mon Sep 17 00:00:00 2001
From: Lukas Javorsky <ljavorsk@redhat.com>
Date: Tue, 7 Feb 2023 15:23:22 +0000
Subject: [PATCH] Resolve fuzzing issue for unknown memory access

Resolves: #2167803
---
 zlib-1.2.11-Limit-hash-table-inserts.patch | 69 ++++++++++++++++++++++
 zlib.spec                                  |  9 ++-
 2 files changed, 77 insertions(+), 1 deletion(-)
 create mode 100644 zlib-1.2.11-Limit-hash-table-inserts.patch

diff --git a/zlib-1.2.11-Limit-hash-table-inserts.patch b/zlib-1.2.11-Limit-hash-table-inserts.patch
new file mode 100644
index 0000000..3a19ec4
--- /dev/null
+++ b/zlib-1.2.11-Limit-hash-table-inserts.patch
@@ -0,0 +1,69 @@
+From 2d80d3f6b52f9fa454c26c89d2d6a1790e1cecb0 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Sat, 21 Jan 2017 01:50:26 -0800
+Subject: [PATCH] Limit hash table inserts after switch from stored deflate.
+
+This limits hash table inserts to the available data in the window
+and to the sliding window size in deflate_stored(). The hash table
+inserts are deferred until deflateParams() switches to a non-zero
+compression level.
+---
+ deflate.c | 10 +++++++++-
+ 1 file changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/deflate.c b/deflate.c
+index 20bda4f..d368b25 100644
+--- a/deflate.c
++++ b/deflate.c
+@@ -1513,6 +1513,8 @@ local void fill_window(s)
+             s->match_start -= wsize;
+             s->strstart    -= wsize; /* we now have strstart >= MAX_DIST */
+             s->block_start -= (long) wsize;
++            if (s->insert > s->strstart)
++                s->insert = s->strstart;
+             slide_hash(s);
+             more += wsize;
+         }
+@@ -1742,6 +1744,7 @@ local block_state deflate_stored(s, flush)
+             s->matches = 2;         /* clear hash */
+             zmemcpy(s->window, s->strm->next_in - s->w_size, s->w_size);
+             s->strstart = s->w_size;
++            s->insert = s->strstart;
+         }
+         else {
+             if (s->window_size - s->strstart <= used) {
+@@ -1750,12 +1753,14 @@ local block_state deflate_stored(s, flush)
+                 zmemcpy(s->window, s->window + s->w_size, s->strstart);
+                 if (s->matches < 2)
+                     s->matches++;   /* add a pending slide_hash() */
++                if (s->insert > s->strstart)
++                    s->insert = s->strstart;
+             }
+             zmemcpy(s->window + s->strstart, s->strm->next_in - used, used);
+             s->strstart += used;
++            s->insert += MIN(used, s->w_size - s->insert);
+         }
+         s->block_start = s->strstart;
+-        s->insert += MIN(used, s->w_size - s->insert);
+     }
+     if (s->high_water < s->strstart)
+         s->high_water = s->strstart;
+@@ -1779,12 +1784,15 @@ local block_state deflate_stored(s, flush)
+         if (s->matches < 2)
+             s->matches++;           /* add a pending slide_hash() */
+         have += s->w_size;          /* more space now */
++        if (s->insert > s->strstart)
++            s->insert = s->strstart;
+     }
+     if (have > s->strm->avail_in)
+         have = s->strm->avail_in;
+     if (have) {
+         read_buf(s->strm, s->window + s->strstart, have);
+         s->strstart += have;
++        s->insert += MIN(have, s->w_size - s->insert);
+     }
+     if (s->high_water < s->strstart)
+         s->high_water = s->strstart;
+-- 
+2.39.1
+
diff --git a/zlib.spec b/zlib.spec
index 9ae4fe9..40e85d5 100644
--- a/zlib.spec
+++ b/zlib.spec
@@ -2,7 +2,7 @@
 
 Name:    zlib
 Version: 1.2.11
-Release: 37%{?dist}
+Release: 38%{?dist}
 Summary: Compression and decompression library
 # /contrib/dotzlib/ have Boost license
 License: zlib and Boost
@@ -13,6 +13,9 @@ Source: https://www.zlib.net/zlib-%{version}.tar.xz
 Patch0: zlib-1.2.5-minizip-fixuncrypt.patch
 # resolves: #805113
 Patch1: zlib-1.2.11-optimized-s390.patch
+# Backport upstream commit 2d80d3f6b52f9fa454c26c89d2d6a1790e1cecb0
+# Reason: Fuzzer founds issues with unknown memory access
+Patch5: zlib-1.2.11-Limit-hash-table-inserts.patch
 # IBM Z optimalizations
 Patch7: zlib-1.2.11-IBM-Z-hw-accelrated-deflate-s390x.patch
 # fix for IBM Z optimalizations
@@ -114,6 +117,7 @@ developing applications which use minizip.
 %ifarch s390 s390x
 %patch1 -p1 -b .optimized-deflate
 %endif
+%patch5 -p1
 %patch7 -p1
 %patch11 -p1
 %patch12 -p1
@@ -209,6 +213,9 @@ find $RPM_BUILD_ROOT -name '*.la' -delete
 
 
 %changelog
+* Tue Feb 07 2023 Lukas Javorsky <ljavorsk@redhat.com> - 1.2.11-38
+- Resolve fuzzing issue for unknown memory access
+
 * Tue Feb 07 2023 Lukas Javorsky <ljavorsk@redhat.com> - 1.2.11-37
 - Rebased Power 8 optimization patches
 - Fix for Unnecessary IFUNC resolver for crc32_z