From 6cef1de7403b553ce8f7e790e38531da6529f34f Mon Sep 17 00:00:00 2001
From: Mark Adler <madler@alumni.caltech.edu>
Date: Thu, 26 Nov 2015 22:52:25 -0800
Subject: [PATCH] Fix bug that accepted invalid zlib header when windowBits is
 zero.

When windowBits is zero, the size of the sliding window comes from
the zlib header.  The allowed values of the four-bit field are
0..7, but when windowBits is zero, values greater than 7 are
permitted and acted upon, resulting in large, mostly unused memory
allocations.  This fix rejects such invalid zlib headers.
---
 inflate.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/inflate.c b/inflate.c
index 72e8438..5a687a6 100644
--- a/inflate.c
+++ b/inflate.c
@@ -674,7 +674,7 @@ int flush;
             len = BITS(4) + 8;
             if (state->wbits == 0)
                 state->wbits = len;
-            else if (len > state->wbits) {
+            if (len > 15 || len > state->wbits) {
                 strm->msg = (char *)"invalid window size";
                 state->mode = BAD;
                 break;