diff options
author | Adenilson Cavalcanti <adenilson.cavalcanti@arm.com> | 2020-01-23 00:49:29 +0000 |
---|---|---|
committer | Commit Bot <commit-bot@chromium.org> | 2020-01-23 00:49:29 +0000 |
commit | 2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a (patch) | |
tree | c936e2ac5a8cf7ca07f2f40cfb1dd509ce2322da | |
parent | 94485d9d189ea113d62a4dc9f02cd39f5daf9469 (diff) | |
download | zlib-2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a.tar.gz |
Properly initialize deflate_state instance
Fix use of uninitialized memory reported by oss-fuzz
(and confirmed by valgrind@aarch64) by properly setting deflate_state
internal member (i.e. s->prev) to a valid value before use.
For details, see:
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360
Bug: 1032721
Change-Id: I6c7b2e87e81b8ccc6c39298fd3c704befd797b96
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015667
Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org>
Reviewed-by: Chris Blume <cblume@chromium.org>
Reviewed-by: vikas soni <vikassoni@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#734278}
Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src
Cr-Mirrored-Commit: 2d43e0d3369904d881e8519a69481226bba3394c
-rw-r--r-- | deflate.c | 4 | ||||
-rw-r--r-- | patches/0003-uninitializedjump.patch | 15 |
2 files changed, 19 insertions, 0 deletions
@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, s->w_size + window_padding, 2*sizeof(Byte)); s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); + /* Avoid use of uninitialized value, see: + * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 + */ + memset(s->prev, 0, s->w_size * sizeof(Pos)); s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos)); s->high_water = 0; /* nothing written to s->window yet */ diff --git a/patches/0003-uninitializedjump.patch b/patches/0003-uninitializedjump.patch new file mode 100644 index 0000000..ab6f6ad --- /dev/null +++ b/patches/0003-uninitializedjump.patch @@ -0,0 +1,15 @@ +diff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c +index a39e62787862..c6053fd1c7ea 100644 +--- a/third_party/zlib/deflate.c ++++ b/third_party/zlib/deflate.c +@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, + s->w_size + window_padding, + 2*sizeof(Byte)); + s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); ++ /* Avoid use of uninitialized value, see: ++ * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 ++ */ ++ memset(s->prev, 0, s->w_size * sizeof(Pos)); + s->head = (Posf *) ZALLOC(strm, s->hash_size, sizeof(Pos)); + + s->high_water = 0; /* nothing written to s->window yet */ |