Properly initialize deflate_state instance

Fix use of uninitialized memory reported by oss-fuzz (and confirmed by valgrind@aarch64) by properly setting deflate_state internal member (i.e. s->prev) to a valid value before use. For details, see: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 Bug: 1032721 Change-Id: I6c7b2e87e81b8ccc6c39298fd3c704befd797b96 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015667 Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org> Reviewed-by: Chris Blume <cblume@chromium.org> Reviewed-by: vikas soni <vikassoni@chromium.org> Cr-Original-Commit-Position: refs/heads/master@{#734278} Cr-Mirrored-From: https://chromium.googlesource.com/chromium/src Cr-Mirrored-Commit: 2d43e0d3369904d881e8519a69481226bba3394c
author: Adenilson Cavalcanti <adenilson.cavalcanti@arm.com> 2020-01-23 00:49:29 +0000
committer: Commit Bot <commit-bot@chromium.org> 2020-01-23 00:49:29 +0000
commit: 2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a (patch)
tree: c936e2ac5a8cf7ca07f2f40cfb1dd509ce2322da
parent: 94485d9d189ea113d62a4dc9f02cd39f5daf9469 (diff)
download: zlib-2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a.tar.gz
2 files changed, 19 insertions, 0 deletions
diff --git a/deflate.c b/deflate.c
index a39e627..58744b8 100644
--- a/deflate.c
+++ b/deflate.c
@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
                                  s->w_size + window_padding,
                                  2*sizeof(Byte));
     s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    /* Avoid use of uninitialized value, see:
+     * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360
+     */
+    memset(s->prev, 0, s->w_size * sizeof(Pos));
     s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
 
     s->high_water = 0;      /* nothing written to s->window yet */
diff --git a/patches/0003-uninitializedjump.patch b/patches/0003-uninitializedjump.patch
new file mode 100644
index 0000000..ab6f6ad
--- /dev/null
+++ b/patches/0003-uninitializedjump.patch
@@ -0,0 +1,15 @@
+diff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c
+index a39e62787862..c6053fd1c7ea 100644
+--- a/third_party/zlib/deflate.c
++++ b/third_party/zlib/deflate.c
+@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+                                  s->w_size + window_padding,
+                                  2*sizeof(Byte));
+     s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
++    /* Avoid use of uninitialized value, see:
++     * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360
++     */
++    memset(s->prev, 0, s->w_size * sizeof(Pos));
+     s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
+ 
+     s->high_water = 0;      /* nothing written to s->window yet */
author	Adenilson Cavalcanti <adenilson.cavalcanti@arm.com>	2020-01-23 00:49:29 +0000
committer	Commit Bot <commit-bot@chromium.org>	2020-01-23 00:49:29 +0000
commit	2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a (patch)
tree	c936e2ac5a8cf7ca07f2f40cfb1dd509ce2322da
parent	94485d9d189ea113d62a4dc9f02cd39f5daf9469 (diff)
download	zlib-2326c6ca3ffe2bdfc0199fcdcba22cd97d1fea5a.tar.gz