CVSROOT: /cvs Module name: src Changes by: t...@cvs.openbsd.org 2022/03/25 04:54:27
Modified files: lib/libz : deflate.c deflate.h trees.c Log message: Fix memory corruption bug in zlib zlib has a crashing bug. The bug fix has been sitting in the unreleased develop branch for nearly four years. Pull in this fix. ok mbuhl millert Reported by Tavis Ormandy on oss-security: https://marc.info/?l=oss-security&m=164809382107156&w=2 commit 5c44459c3b28a9bd3283aaceab7c615f8020c531 Author: Mark Adler <mad...@alumni.caltech.edu> Date: Tue Apr 17 22:09:22 2018 -0700 Fix a bug that can crash deflate on some input when using Z_FIXED. This bug was reported by Danilo Ramos of Eideticom, Inc. It has lain in wait 13 years before being found! The bug was introduced in zlib 1.2.2.2, with the addition of the Z_FIXED option. That option forces the use of fixed Huffman codes. For rare inputs with a large number of distant matches, the pending buffer into which the compressed data is written can overwrite the distance symbol table which it overlays. That results in corrupted output due to invalid distances, and can result in out-of-bound accesses, crashing the application. The fix here combines the distance buffer and literal/length buffers into a single symbol buffer. Now three bytes of pending buffer space are opened up for each literal or length/distance pair consumed, instead of the previous two bytes. This assures that the pending buffer cannot overwrite the symbol table, since the maximum fixed code compressed length/distance is 31 bits, and since there are four bytes of pending space for every three bytes of symbol space. https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531