Compress-Raw-Zlib: sync with CPAN version 2.075

https://rt.cpan.org/Ticket/Display.html?id=123245 reports a security vulnerability in versions zlib 1.2.8 thru 1.2.10 of the zlib library. Zlib is bundled with Compress-Raw-Zlib, so any vulnerability reappears once Compress-Raw-Zlib is shipped with Perl 5. The vulnerability is present in production releases up to and including perl-5.26.1. To address this vulnerability, this commit upgrades us to the latest CPAN version.
Perl · Nov 14, 2017 · 6b93e4b · 6b93e4b
1 parent 6623aa6
commit 6b93e4b
Show file tree

Hide file tree

Showing 21 changed files with 1,275 additions and 792 deletions.
diff --git a/Porting/Maintainers.pl b/Porting/Maintainers.pl
@@ -214,7 +214,7 @@ package Maintainers;
     },
 
     'Compress::Raw::Zlib' => {
-        'DISTRIBUTION' => 'PMQS/Compress-Raw-Zlib-2.074.tar.gz',
+        'DISTRIBUTION' => 'PMQS/Compress-Raw-Zlib-2.075.tar.gz',
 
         'FILES'    => q[cpan/Compress-Raw-Zlib],
         'EXCLUDED' => [

diff --git a/cpan/Compress-Raw-Zlib/Zlib.xs b/cpan/Compress-Raw-Zlib/Zlib.xs
@@ -180,8 +180,7 @@ typedef di_stream * inflateStream ;
 typedef di_stream * Compress__Raw__Zlib__inflateStream ;
 typedef di_stream * Compress__Raw__Zlib__inflateScanStream ;
 
-#define ZMALLOC(to, typ) ((to = (typ *)safemalloc(sizeof(typ))), \
-                                Zero(to,1,typ))
+#define ZMALLOC(to, typ) (to = (typ *)safecalloc(sizeof(typ), 1))
 
 /* Figure out the Operating System */
 #ifdef MSDOS
@@ -506,7 +505,8 @@ DispStream(s, message)
 voidpf my_zcalloc (voidpf opaque, unsigned items, unsigned size)
 {
     PERL_UNUSED_VAR(opaque);
-    return safemalloc(items * size);
+    return safecalloc(items, size);
+    /* return safemalloc(items* size); */
 }
 
 
@@ -833,6 +833,9 @@ Zip_crc32(buf, crc=crcInitial, offset=0)
 #endif         
 	buf = (Byte*)SvPVbyte(sv, len) ;
 
+	if (offset > len)
+	  croak("Offset out of range in Compress::Raw::Zlib::crc32");
+
 	if (items < 2)
 	  crc = crcInitial;
 	else if (SvOK(ST(1)))
@@ -1193,6 +1196,7 @@ flush(s, output, f=Z_FINISH)
     uLong     availableout = NO_INIT    
   CODE:
     bufinc = s->bufsize;
+
 
 
     /* retrieve the output buffer */

diff --git a/cpan/Compress-Raw-Zlib/config.in b/cpan/Compress-Raw-Zlib/config.in
@@ -19,7 +19,6 @@
 BUILD_ZLIB      = True
 INCLUDE         = ./zlib-src
 LIB             = ./zlib-src
-
 OLD_ZLIB        = False
 GZIP_OS_CODE    = AUTO_DETECT
 

diff --git a/cpan/Compress-Raw-Zlib/lib/Compress/Raw/Zlib.pm b/cpan/Compress-Raw-Zlib/lib/Compress/Raw/Zlib.pm
@@ -10,7 +10,7 @@ use warnings ;
 use bytes ;
 our ($VERSION, $XS_VERSION, @ISA, @EXPORT, %EXPORT_TAGS, @EXPORT_OK, $AUTOLOAD, %DEFLATE_CONSTANTS, @DEFLATE_CONSTANTS);
 
-$VERSION = '2.074';
+$VERSION = '2.075';
 $XS_VERSION = $VERSION; 
 $VERSION = eval $VERSION;
 
@@ -645,7 +645,7 @@ Compress::Raw::Zlib - Low-Level Interface to zlib compression library
 
 The I<Compress::Raw::Zlib> module provides a Perl interface to the I<zlib>
 compression library (see L</AUTHOR> for details about where to get
-I<zlib>). 
+I<zlib>).
 
 =head1 Compress::Raw::Zlib::Deflate
 
@@ -656,7 +656,7 @@ Here is a definition of the interface available:
 
 =head2 B<($d, $status) = new Compress::Raw::Zlib::Deflate( [OPT] ) >
 
-Initialises a deflation object. 
+Initialises a deflation object.
 
 If you are familiar with the I<zlib> library, it combines the
 features of the I<zlib> functions C<deflateInit>, C<deflateInit2>
@@ -727,7 +727,7 @@ The default is C<Z_DEFAULT_STRATEGY>.
 
 When a dictionary is specified I<Compress::Raw::Zlib> will automatically
 call C<deflateSetDictionary> directly after calling C<deflateInit>. The
-Adler32 value for the dictionary can be obtained by calling the method 
+Adler32 value for the dictionary can be obtained by calling the method
 C<$d-E<gt>dict_adler()>.
 
 The default is no dictionary.
@@ -775,7 +775,7 @@ Here is an example of using the C<Compress::Raw::Zlib::Deflate> optional
 parameter list to override the default buffer size and compression
 level. All other options will take their default values.
 
-    my $d = new Compress::Raw::Zlib::Deflate ( -Bufsize => 300, 
+    my $d = new Compress::Raw::Zlib::Deflate ( -Bufsize => 300,
                                                -Level   => Z_BEST_SPEED ) ;
 
 =head2 B<$status = $d-E<gt>deflate($input, $output)>
@@ -853,7 +853,7 @@ C<Z_DEFAULT_COMPRESSION>.
 =item B<-Strategy>
 
 Defines the strategy used to tune the compression. The valid values are
-C<Z_DEFAULT_STRATEGY>, C<Z_FILTERED> and C<Z_HUFFMAN_ONLY>. 
+C<Z_DEFAULT_STRATEGY>, C<Z_FILTERED> and C<Z_HUFFMAN_ONLY>.
 
 =item B<-BufSize>
 
@@ -878,14 +878,14 @@ Returns the adler32 value for the dictionary.
 
 =head2 B<$d-E<gt>crc32()>
 
-Returns the crc32 value for the uncompressed data to date. 
+Returns the crc32 value for the uncompressed data to date.
 
 If the C<CRC32> option is not enabled in the constructor for this object,
 this method will always return 0;
 
 =head2 B<$d-E<gt>adler32()>
 
-Returns the adler32 value for the uncompressed data to date. 
+Returns the adler32 value for the uncompressed data to date.
 
 =head2 B<$d-E<gt>msg()>
 
@@ -902,11 +902,11 @@ Returns the total number of compressed bytes output from deflate.
 =head2 B<$d-E<gt>get_Strategy()>
 
 Returns the deflation strategy currently used. Valid values are
-C<Z_DEFAULT_STRATEGY>, C<Z_FILTERED> and C<Z_HUFFMAN_ONLY>. 
+C<Z_DEFAULT_STRATEGY>, C<Z_FILTERED> and C<Z_HUFFMAN_ONLY>.
 
 =head2 B<$d-E<gt>get_Level()>
 
-Returns the compression level being used. 
+Returns the compression level being used.
 
 =head2 B<$d-E<gt>get_BufSize()>
 
@@ -954,7 +954,7 @@ Here is a definition of the interface:
 
 =head2 B< ($i, $status) = new Compress::Raw::Zlib::Inflate( [OPT] ) >
 
-Initialises an inflation object. 
+Initialises an inflation object.
 
 In a list context it returns the inflation object, C<$i>, and the
 I<zlib> status code (C<$status>). In a scalar context it returns the
@@ -1049,7 +1049,7 @@ This option defaults to true.
 
 The C<LimitOutput> option changes the behavior of the C<< $i->inflate >>
 method so that the amount of memory used by the output buffer can be
-limited. 
+limited.
 
 When C<LimitOutput> is used the size of the output buffer used will either
 be the value of the C<Bufsize> option or the amount of memory already
@@ -1082,7 +1082,7 @@ data to C<$output>. The C<$input> and C<$output> parameters can either be
 scalars or scalar references.
 
 Returns C<Z_OK> if successful and C<Z_STREAM_END> if the end of the
-compressed data has been successfully reached. 
+compressed data has been successfully reached.
 
 If not successful C<$status> will hold the I<zlib> error code.
 
@@ -1104,7 +1104,7 @@ this object, the uncompressed data will be appended to C<$output>. If
 it is false, C<$output> will be truncated before any uncompressed data
 is written to it.
 
-The C<$eof> parameter needs a bit of explanation. 
+The C<$eof> parameter needs a bit of explanation.
 
 Prior to version 1.2.0, zlib assumed that there was at least one trailing
 byte immediately after the compressed data stream when it was carrying out
@@ -1118,7 +1118,7 @@ conditions apply
 
 =over 5
 
-=item 1 
+=item 1
 
 You are either using a copy of zlib that is older than version 1.2.0 or you
 want your application code to be able to run with as many different
@@ -1137,7 +1137,7 @@ There is no data immediately after the compressed data stream.
 =back
 
 If B<all> of these are the case, then you need to set the C<$eof> parameter
-to true on the final call (and only the final call) to C<$i-E<gt>inflate>. 
+to true on the final call (and only the final call) to C<$i-E<gt>inflate>.
 
 If you have built this module with zlib >= 1.2.0, the C<$eof> parameter is
 ignored. You can still set it if you want, but it won't be used behind the
@@ -1166,7 +1166,7 @@ was created by calling C<Compress::Deflate::flush>  with C<Z_FULL_FLUSH>.
 
 This method will reset the inflation object C<$i>. It can be used when you
 are uncompressing multiple data streams and want to use the same object to
-uncompress each of them. 
+uncompress each of them.
 
 Returns C<Z_OK> if successful.
 
@@ -1304,14 +1304,14 @@ Returns the version of the zlib library.
 
 =head2  my $flags = Compress::Raw::Zlib::zlibCompileFlags();
 
-Returns the flags indicating compile-time options that were used to build 
+Returns the flags indicating compile-time options that were used to build
 the zlib library. See the zlib documentation for a description of the flags
 returned by C<zlibCompileFlags>.
 
 Note that when the zlib sources are built along with this module the
 C<sprintf> flags (bits 24, 25 and 26) should be ignored.
 
-If you are using zlib 1.2.0 or older, C<zlibCompileFlags> will return 0. 
+If you are using zlib 1.2.0 or older, C<zlibCompileFlags> will return 0.
 
 =head1 The LimitOutput option.
 
@@ -1345,7 +1345,7 @@ source and uncompressing as you go the code will look something like this
     die "inflation failed\n"
         unless $status == Z_STREAM_END ;
 
-The points to note are 
+The points to note are
 
 =over 5
 
@@ -1377,7 +1377,7 @@ compressed data stream contains the same pattern repeated thousands of
 times, a relatively small compressed data stream can uncompress into
 hundreds of megabytes.  Remember C<inflate> will keep allocating memory
 until I<all> the uncompressed data has been written to the output buffer -
-the size of C<$output> is unbounded. 
+the size of C<$output> is unbounded.
 
 The C<LimitOutput> option is designed to help with this use-case.
 
@@ -1567,7 +1567,7 @@ L<File::GlobMapper|File::GlobMapper>, L<Archive::Zip|Archive::Zip>,
 L<Archive::Tar|Archive::Tar>,
 L<IO::Zlib|IO::Zlib>
 
-For RFC 1950, 1951 and 1952 see 
+For RFC 1950, 1951 and 1952 see
 L<http://www.faqs.org/rfcs/rfc1950.html>,
 L<http://www.faqs.org/rfcs/rfc1951.html> and
 L<http://www.faqs.org/rfcs/rfc1952.html>
@@ -1582,7 +1582,7 @@ The primary site for gzip is L<http://www.gzip.org>.
 
 =head1 AUTHOR
 
-This module was written by Paul Marquess, C<pmqs@cpan.org>. 
+This module was written by Paul Marquess, C<pmqs@cpan.org>.
 
 =head1 MODIFICATION HISTORY
 

diff --git a/cpan/Compress-Raw-Zlib/t/02zlib.t b/cpan/Compress-Raw-Zlib/t/02zlib.t
@@ -24,13 +24,13 @@ BEGIN
 
     my $count = 0 ;
     if ($] < 5.005) {
-        $count = 232 ;
+        $count = 237 ;
     }
     elsif ($] >= 5.006) {
-        $count = 320 ;
+        $count = 325 ;
     }
     else {
-        $count = 275 ;
+        $count = 280 ;
     }
 
     plan tests => $count + $extra;
@@ -947,6 +947,33 @@ SKIP:
     is $X, "", "no output from second flush";
 }
 
+{
+    title "crc32";
+
+    is eval('Compress::Raw::Zlib::crc32("A" x 0x100, 0, 0x100); 0x1234'), 0x1234;
+    is $@,  '';
+
+    is eval('Compress::Raw::Zlib::crc32("A" x 0x100, 0, 0x101); 0x1234'), undef;
+    like $@,  mkErr("^Offset out of range in Compress::Raw::Zlib::crc32") ;
+
+}
+
+if (0)
+{
+    title "RT #122695: sync flush appending extra empty uncompressed block";
+
+    my $hello = "I am a HAL 9000 computer" ;
+    my ($err, $x, $X, $status); 
+
+    ok( ($x, $err) = new Compress::Raw::Zlib::Deflate ( ), "Create deflate object" );
+    isa_ok $x, "Compress::Raw::Zlib::deflateStream" ;
+    cmp_ok $err, '==', Z_OK, "status is Z_OK" ;
+
+    cmp_ok  $x->flush($X, Z_SYNC_FLUSH), '==', Z_OK, "flush returned Z_OK" ;    
+    cmp_ok  $x->flush($X, Z_SYNC_FLUSH), '==', Z_OK, "second flush returned Z_OK" ; 
+    is $X, "", "no output from second flush";
+}
+
 exit if $] < 5.006 ;
 
 title 'Looping Append test with substr output - substr the end of the string';

diff --git a/cpan/Compress-Raw-Zlib/zlib-src/adler32.c b/cpan/Compress-Raw-Zlib/zlib-src/adler32.c
@@ -1,17 +1,15 @@
 /* adler32.c -- compute the Adler-32 checksum of a data stream
- * Copyright (C) 1995-2011 Mark Adler
+ * Copyright (C) 1995-2011, 2016 Mark Adler
  * For conditions of distribution and use, see copyright notice in zlib.h
  */
 
 /* @(#) $Id$ */
 
 #include "zutil.h"
 
-#define local static
-
 local uLong adler32_combine_ OF((uLong adler1, uLong adler2, z_off64_t len2));
 
-#define BASE 65521      /* largest prime smaller than 65536 */
+#define BASE 65521U     /* largest prime smaller than 65536 */
 #define NMAX 5552
 /* NMAX is the largest n such that 255n(n+1)/2 + (n+1)(BASE-1) <= 2^32-1 */
 
@@ -62,10 +60,10 @@ local uLong adler32_combine_ OF((uLong adler1, uLong adler2, z_off64_t len2));
 #endif
 
 /* ========================================================================= */
-uLong ZEXPORT adler32(
+uLong ZEXPORT adler32_z(
     uLong adler,
     const Bytef *buf,
-    uInt len)
+    z_size_t len)
 {
     unsigned long sum2;
     unsigned n;
@@ -132,6 +130,15 @@ uLong ZEXPORT adler32(
     return adler | (sum2 << 16);
 }
 
+/* ========================================================================= */
+uLong ZEXPORT adler32(
+    uLong adler,
+    const Bytef *buf,
+    uInt len)
+{
+    return adler32_z(adler, buf, len);
+}
+
 /* ========================================================================= */
 local uLong adler32_combine_(
     uLong adler1,
@@ -156,7 +163,7 @@ local uLong adler32_combine_(
     sum2 += ((adler1 >> 16) & 0xffff) + ((adler2 >> 16) & 0xffff) + BASE - rem;
     if (sum1 >= BASE) sum1 -= BASE;
     if (sum1 >= BASE) sum1 -= BASE;
-    if (sum2 >= (BASE << 1)) sum2 -= (BASE << 1);
+    if (sum2 >= ((unsigned long)BASE << 1)) sum2 -= ((unsigned long)BASE << 1);
     if (sum2 >= BASE) sum2 -= BASE;
     return sum1 | (sum2 << 16);
 }