From 8d284299a9f34dc6adefe6ea2042fd5891b1a270 Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Wed, 6 Jul 2005 14:00:52 +0000
Subject: [PATCH] Correct a buffer overflow which occurred in the handling of
 some particularly corrupt deflated data streams.

Security:	FreeBSD-SA-05:16.zlib
Approved by:	re (security blanket)
---
 lib/libz/inftrees.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/lib/libz/inftrees.c b/lib/libz/inftrees.c
index 8a896b28793..509461d9273 100644
--- a/lib/libz/inftrees.c
+++ b/lib/libz/inftrees.c
@@ -134,7 +134,7 @@ unsigned short FAR *work;
         left -= count[len];
         if (left < 0) return -1;        /* over-subscribed */
     }
-    if (left > 0 && (type == CODES || (codes - count[0] != 1)))
+    if (left > 0 && (type == CODES || max != 1))
         return -1;                      /* incomplete set */
 
     /* generate offsets into symbol table for each length for sorting */