[Zlib-devel] Silent acceptance of invalid distance codes
Cosmin Truta
cosmin at cs.toronto.edu
Fri Sep 17 00:25:40 EDT 2004
Hi,
There is a problem with all zlib releases, not just the latest release
candidate.
The inflater discards the value of CINFO found in the zlib stream: it
tests whether CINFO is no bigger than state->wbits (e.g. line 599 in
zlib-1.2.1.2/inflate.c), but it loses this value afterwards.
If CINFO indicates a window size smaller than what state->wbits
indicates, invalid streams may be silently accepted. It's easy to run
into a situation where CINFO + 8 < state->wbits, if the user app's
decoder is too lazy to optimize the memory allocated for the sliding
window; e.g. by calling inflateInit() instead of inflateInit2().
More precisely, if a distance code is bigger than (1 << (CINFO + 8)),
but no bigger than (1 << state->wbits), the zlib stream is invalid, but
the inflater accepts it silently.
We discovered this problem after we tweaked the CINFO flag incorrectly,
in libpng. The zlib-based libpng testing program did not tell us that
something's wrong with the produced PNG images, and we received reports
about PNGs crashing other apps (presumably, not zlib-based) soon after
releasing the broken libpng.
Best regards,
Cosmin
More information about the Zlib-devel
mailing list