phobos
phobos copied to clipboard
Fix Issue 23288 - zlib: Fix potential buffer overflow
Hello --
As mentioned in the bug report, this fixes a potential buffer overflow in zlib. It is a combined diff from https://github.com/madler/zlib/commit/eff308af425b67093bab25f80f1ae950166bece1 and https://github.com/madler/zlib/commit/1eb7682f845ac9e9bf9ae35bbfb3bad5dacbd91d
I wasn't sure whether this should go in master or stable, so I chose master. In any event, we probably want this.
Thanks for your pull request and interest in making D better, @ibara! We are looking forward to reviewing it, and you should be hearing from a maintainer soon. Please verify that your PR follows this checklist:
- My PR is fully covered with tests (you can see the coverage diff by visiting the details link of the codecov check)
- My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
- I have provided a detailed rationale explaining my changes
- New or modified functions have Ddoc comments (with
Params:
andReturns:
)
Please see CONTRIBUTING.md for more information.
If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.
Bugzilla references
Auto-close | Bugzilla | Severity | Description |
---|---|---|---|
✓ | 23288 | normal | zlib: Fix potential buffer overflow |
Testing this PR locally
If you don't have a local development environment setup, you can use Digger to test this PR:
dub run digger -- build "master + phobos#8528"
Is this part of a zlib release?
Is this part of a zlib release?
Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.
Is this part of a zlib release?
Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.
I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?
Is this part of a zlib release?
Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.
I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?
Zlib does not have a good history of timely releases for security critical items: https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-cve-2018-25032/
Why are we not using a git submodule and keep a copy of the original?
I'm not sure why. There are some diffs to upstream zlib in Phobos zlib.