[Zlib-devel] zlib 1.2.1 inflate bug (fixed in 1.2.1.1)
Mark Adler
madler at alumni.caltech.edu
Sat May 29 22:28:05 EDT 2004
On May 16, 2004, at 5:02 AM, Gilles Vollant wrote:
> I ask again : what is the risk, and how can we obtain a zipfile that
> zlib
> 1.2.1 did not inflate ?
The risk is zero if the deflate stream was made by zlib, gzip, or
info-zip, since the particular missed aspect of the deflate format is
not used by Jean-loup's code. The risk is apparently very small in
other cases, since there has been only the one report. I do not know
what software created the zip file from which the test file was
constructed.
You can get the test file here (~ 13 MB):
http://www.alumni.caltech.edu/~madler/1249-1.gz
> The fix is not released four month after being wrote, so I suppose
> this is
> not a big risk...
That does not necessarily follow. :-) However in this case it appears
to not be a big risk. However it is an unconscionable bug.
By the way, the only report that I saw on 1.2.1.1's operability was
from Cosmin.
mark
More information about the Zlib-devel
mailing list