More merging from zlib-1.1.4
force windowBits > 8 to avoid a bug in the encoder for a window size
of 256 bytes. (A complete fix will be available in 1.1.5).
James Carlson:
The problem is that s->strstart gets set to a very large
positive integer when wsize (local copy of s->w_size) is
subtracted in deflate.c:fill_window(). This happens because
MAX_DIST(s) resolves as a negative number when the window size
is 8 -- MAX_DIST(s) is defined as s->w_size-MIN_LOOKAHEAD in
deflate.h. MIN_LOOKAHEAD is MAX_MATCH+MIN_MATCH+1, and that
is 258+3+1 or 262. Since a window size of 8 gives s->w_size
256, MAX_DIST(s) is 256-262 or -6.
This results in read_buf() writing over memory outside of
s->window, and a crash.
windowBits = -windowBits;
}
if (memLevel < 1 || memLevel > MAX_MEM_LEVEL || method != Z_DEFLATED ||
- windowBits < 8 || windowBits > 15 || level < 0 || level > 9 ||
+ windowBits < 9 || windowBits > 15 || level < 0 || level > 9 ||
strategy < 0 || strategy > Z_HUFFMAN_ONLY) {
return Z_STREAM_ERROR;
}