Possible use-after-free in gzread.c

[apach301]

Hi,

I found possible use after free with Svace static analyzer.
An access to field state->out occur at

zlib/gzread.c

Line 470 in 5a82f71

state->x.next = state->out + (state->size << 1) - 1;

after it could be deallocated during gz_look() failure.