Re: Re: zlib memory corruption on deflate (i.e. compress)

[Tavis Ormandy <taviso () gmail com>]

On Sun, Mar 27, 2022 at 05:39:59PM -0700, Eric Biggers wrote:
> I've attached a full reproducer that works with the following parameters:
>
>       level=7 (also 8 and 9)
>       windowBits=15
>       memLevel=1
>       strategy=Z_DEFAULT_STRATEGY
>
> i.e.,
>
>     deflateInit2(&strm, 7, Z_DEFLATED, 15, 1, Z_DEFAULT_STRATEGY);
>
> With ASAN, it generates a warning like Tavis's reproducer with Z_FIXED did.

Wow, thanks for your analysis Eric.

Confirmed here, and the output deflated stream is also garbage... ouch,
this is really not good...

It seems likely that an attacker can force this state, even if they
don't control the prefix (e.g. a logfile), or perhaps (theoretically)
force a deflated HTTP response to contain output that wasn't sent, etc,
etc.

Let's hope cleaning up old static copies of zlib isn't going to be a
mess for years to come :(

Tavis.


-- 
 _o)            $ lynx lock.cmpxchg8b.com
 /\\  _o)  _o)  $ finger taviso () sdf org
_\_V _( ) _( )  @taviso