From 473a7347e48402199c948c7f42a812ceba8f82d3 Mon Sep 17 00:00:00 2001
From: Lim Sim Yee <137663782+simei2k@users.noreply.github.com>
Date: Wed, 30 Apr 2025 22:55:25 +0800
Subject: [PATCH] Fix potential vulnerable cloned functions

This PR fixes a potential vulnerability in _tr_tally() that was cloned from zlb but did not receive the security patch. The original issue was reported and fixed under lua/lua@42d4058.
This PR applies the same patch to eliminate the vulnerability.

References
https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531
madler/zlib@5c44459
---
 Windows/Demo/IMApp/zlib/trees.c | 30 ++++--------------------------
 1 file changed, 4 insertions(+), 26 deletions(-)

diff --git a/Windows/Demo/IMApp/zlib/trees.c b/Windows/Demo/IMApp/zlib/trees.c
index 19d46c93d7..98371787df 100644
--- a/Windows/Demo/IMApp/zlib/trees.c
+++ b/Windows/Demo/IMApp/zlib/trees.c
@@ -1010,8 +1010,9 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
     unsigned dist;  /* distance of matched string */
     unsigned lc;    /* match length-MIN_MATCH or unmatched char (if dist==0) */
 {
-    s->d_buf[s->last_lit] = (ush)dist;
-    s->l_buf[s->last_lit++] = (uch)lc;
+    s->sym_buf[s->sym_next++] = dist;
+    s->sym_buf[s->sym_next++] = dist >> 8;
+    s->sym_buf[s->sym_next++] = lc;
     if (dist == 0) {
         /* lc is the unmatched char */
         s->dyn_ltree[lc].Freq++;
@@ -1026,30 +1027,7 @@ int ZLIB_INTERNAL _tr_tally (s, dist, lc)
         s->dyn_ltree[_length_code[lc]+LITERALS+1].Freq++;
         s->dyn_dtree[d_code(dist)].Freq++;
     }
-
-#ifdef TRUNCATE_BLOCK
-    /* Try to guess if it is profitable to stop the current block here */
-    if ((s->last_lit & 0x1fff) == 0 && s->level > 2) {
-        /* Compute an upper bound for the compressed length */
-        ulg out_length = (ulg)s->last_lit*8L;
-        ulg in_length = (ulg)((long)s->strstart - s->block_start);
-        int dcode;
-        for (dcode = 0; dcode < D_CODES; dcode++) {
-            out_length += (ulg)s->dyn_dtree[dcode].Freq *
-                (5L+extra_dbits[dcode]);
-        }
-        out_length >>= 3;
-        Tracev((stderr,"\nlast_lit %u, in %ld, out ~%ld(%ld%%) ",
-               s->last_lit, in_length, out_length,
-               100L - out_length*100L/in_length));
-        if (s->matches < s->last_lit/2 && out_length < in_length/2) return 1;
-    }
-#endif
-    return (s->last_lit == s->lit_bufsize-1);
-    /* We avoid equality with lit_bufsize because of wraparound at 64K
-     * on 16 bit machines and because stored blocks are restricted to
-     * 64K-1 bytes.
-     */
+    return (s->sym_next == s->sym_end);
 }
 
 /* ===========================================================================