zlib/minizip: Update to version 1.2.13, remove zlib from freetype

Security update, fixes CVE-2022-37434 in zlib.

Only applications exposing/using `inflateGetHeader()` seem to be affected,
which is not our case, so this is not critical for Godot.

Remove duplicated copy of zlib in freetype sources to force using the updated
version in `thirdparty/zlib/`.

Co-authored-by: Rémi Verschelde <rverschelde@gmail.com>

1 files changed, 5 insertions, 2 deletions

diff --git a/thirdparty/zlib/inflate.c b/thirdparty/zlib/inflate.c
index 7be8c63662..8acbef44e9 100644
--- a/thirdparty/zlib/inflate.c
+++ b/thirdparty/zlib/inflate.c
@@ -168,6 +168,8 @@ int windowBits;
 
     /* extract wrap request from windowBits parameter */
     if (windowBits < 0) {
+        if (windowBits < -15)
+            return Z_STREAM_ERROR;
         wrap = 0;
         windowBits = -windowBits;
     }
@@ -764,8 +766,9 @@ int flush;
                 if (copy > have) copy = have;
                 if (copy) {
                     if (state->head != Z_NULL &&
-                        state->head->extra != Z_NULL) {
-                        len = state->head->extra_len - state->length;
+                        state->head->extra != Z_NULL &&
+                        (len = state->head->extra_len - state->length) <
+                            state->head->extra_max) {
                         zmemcpy(state->head->extra + len, next,
                                 len + copy > state->head->extra_max ?
                                 state->head->extra_max - len : copy);