Fix Issue 23288 - zlib: Fix potential buffer overflow

[ibara]

Hello --

As mentioned in the bug report, this fixes a potential buffer overflow in zlib. It is a combined diff from
madler/zlib@eff308a
and
madler/zlib@1eb7682

I wasn't sure whether this should go in master or stable, so I chose master. In any event, we probably want this.

[dlang-bot]

Thanks for your pull request and interest in making D better, @ibara! We are looking forward to reviewing it, and you should be hearing from a maintainer soon.
Please verify that your PR follows this checklist:

• My PR is fully covered with tests (you can see the coverage diff by visiting the details link of the codecov check)
• My PR is as minimal as possible (smaller, focused PRs are easier to review than big ones)
• I have provided a detailed rationale explaining my changes
• New or modified functions have Ddoc comments (with Params: and Returns:)

Please see CONTRIBUTING.md for more information.

---

If you have addressed all reviews or aren't sure how to proceed, don't hesitate to ping us with a simple comment.

Bugzilla references

Auto-close	Bugzilla	Severity	Description
✓	23288	normal	zlib: Fix potential buffer overflow

Testing this PR locally

If you don't have a local development environment setup, you can use Digger to test this PR:

dub run digger -- build "master + phobos#8528"

[ibuclaw]

Is this part of a zlib release?

[ibara]

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

[RazvanN7]

Why are we not using a git submodule and keep a copy of the original?

[ibuclaw]

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?

[ibara]

Is this part of a zlib release?

Not yet, no. The latest release is 1.2.12, which we already have in Phobos. These commits are from the zlib master branch after 1.2.12 was released.

I think I'd prefer to just "sync" with the development branch then, as there are other regression fixes for bugs that occurred in the .12 release. Surely they'll be a release soon though if this is critical?

Zlib does not have a good history of timely releases for security critical items: https://orca.security/resources/blog/zlib-memory-corruption-vulnerability-cve-2018-25032/

[ibara]

Why are we not using a git submodule and keep a copy of the original?

I'm not sure why. There are some diffs to upstream zlib in Phobos zlib.