The qjs inflate loop treated only rc < 0 as an error. Z_NEED_DICT is
positive, so a zlib stream with the FDICT flag and no dictionary made
inflate() return Z_NEED_DICT with no progress every iteration, spinning
forever and growing the output chain on attacker-controlled input.
Handle Z_NEED_DICT explicitly, matching the njs zlib module.
goto fail;
}
+ if (rc == Z_NEED_DICT) {
+ JS_ThrowTypeError(ctx, "failed to inflate, dictionary is required");
+ goto fail;
+ }
+
njs_chb_written(&chain, chunk_size - stream.avail_out);
}
{ value: zlib.deflateRawSync('WAKA', {dictionary: Buffer.from('WAKA')}),
exception: 'InternalError: failed to inflate the compressed data: invalid distance too far back' },
+
+ { value: zlib.deflateSync('WAKA WAKA WAKA', {dictionary: Buffer.from('WAKA')}),
+ raw: false,
+ exception: 'TypeError: failed to inflate, dictionary is required' },
]};
run([