From 27176508e188c0900877e810be34198cd88dcb63 Mon Sep 17 00:00:00 2001
From: Paul Sokolovsky <pfalcon@users.sourceforge.net>
Date: Tue, 11 Oct 2016 07:08:28 +0300
Subject: [PATCH] tinflate: When using sliding dictionary, check that offset
 lies within it.

---
 src/tinf.h     | 1 +
 src/tinflate.c | 3 +++
 2 files changed, 4 insertions(+)

diff --git a/src/tinf.h b/src/tinf.h
index 3545bbd..106203a 100644
--- a/src/tinf.h
+++ b/src/tinf.h
@@ -32,6 +32,7 @@ extern "C" {
 #define TINF_DONE           1
 #define TINF_DATA_ERROR    (-3)
 #define TINF_CHKSUM_ERROR  (-4)
+#define TINF_DICT_ERROR    (-5)
 
 /* checksum types */
 #define TINF_CHKSUM_NONE  0
diff --git a/src/tinflate.c b/src/tinflate.c
index 0e53f7f..58850eb 100644
--- a/src/tinflate.c
+++ b/src/tinflate.c
@@ -361,6 +361,9 @@ static int tinf_inflate_block_data(TINF_DATA *d, TINF_TREE *lt, TINF_TREE *dt)
         /* possibly get more bits from distance code */
         offs = tinf_read_bits(d, dist_bits[dist], dist_base[dist]);
         if (d->dict_ring) {
+            if (offs > d->dict_size) {
+                return TINF_DICT_ERROR;
+            }
             d->lzOff = d->dict_idx - offs;
             if (d->lzOff < 0) {
                 d->lzOff += d->dict_size;