[Zlib-devel] zlib 1.2.3.1 released for testing
Cosmin Truta
cosmin at cs.toronto.edu
Tue Sep 19 22:31:34 EDT 2006
On Mon, 18 Sep 2006, Glenn Randers-Pehrson wrote:
> At 10:09 PM 9/17/2006 -0700, Greg Roelofs wrote:
>
> >Yup. I couldn't remember if 1.1.4 had any known issues of its own,
> >though.
>
> It does not detect "too far back" errors. Maybe that is harmless,
> but the solution Mark proposes for 1.2.3.x (substitute zeroes for
> the out-of-bounds memory accesses) is better, I think.
My 2 cents:
I don't think I like the idea of hurting zlib users who want the
inflation as fast as possible, for the sake of sloppy web designers.
Don't want distance codes too far back? The app can set the inflation
window size to the maximum (32768). Don't want arbitrary values? The app
can set a zero'ed deflate dictionary (32768 x '\0') prior to inflation.
I don't know if the latter is allowed by the zlib API, and I cannot
look into the source code right now. But if dictionaries cannot be used
without having the "dictionary bit" set and the "dictionary checksum"
matched in the deflate stream, at least it could be possible to modify
zlib to accept zero-only dictionaries when the user wants to use them.
I see this as a much lesser intrusion, both performance-wise (since
regular users don't get affected) and implementation-wise (because the
chance of introducing bugs in the inflate code is much smaller).
Best regards,
Cosmin
More information about the Zlib-devel
mailing list