| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| cflags-for-minizip | no | |||||
| use-dso | no | |||||
| use-dso-really | no | |||||
| Fix-a-bug-that-can-crash-deflate-on-some-input-when-.patch | Fix a bug that can crash deflate on some input when using Z_FIXED. This bug was reported by Danilo Ramos of Eideticom, Inc. It has lain in wait 13 years before being found! The bug was introduced in zlib 1.2.2.2, with the addition of the Z_FIXED option. That option forces the use of fixed Huffman codes. For rare inputs with a large number of distant matches, the pending buffer into which the compressed data is written can overwrite the distance symbol table which it overlays. That results in corrupted output due to invalid distances, and can result in out-of-bound accesses, crashing the application. The fix here combines the distance buffer and literal/length buffers into a single symbol buffer. Now three bytes of pending buffer space are opened up for each literal or length/distance pair consumed, instead of the previous two bytes. This assures that the pending buffer cannot overwrite the symbol table, since the maximum fixed code compressed length/distance is 31 bits, and since there are four bytes of pending space for every three bytes of symbol space. |
Mark Adler <madler@alumni.caltech.edu> | no | debian | https://github.com/madler/zlib/commit/5c44459c3b28a9bd3283aaceab7c615f8020c531 | 2018-04-17 |
| Fix-a-bug-when-getting-a-gzip-header-extra-field-wit.patch | Fix a bug when getting a gzip header extra field with inflate(). If the extra field was larger than the space the user provided with inflateGetHeader(), and if multiple calls of inflate() delivered the extra header data, then there could be a buffer overflow of the provided space. This commit assures that provided space is not exceeded. |
Mark Adler <fork@madler.net> | no | debian | https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 | 2022-07-30 |
| Fix-extra-field-processing-bug-that-dereferences-NUL.patch | Fix extra field processing bug that dereferences NULL state->head. The recent commit to fix a gzip header extra field processing bug introduced the new bug fixed here. |
Mark Adler <fork@madler.net> | no | https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d | 2022-08-08 |