[release/7.0] Upgrade zlib to 1.3.1 (#99474)

* [7.0] Upgrade zlib to 1.3.1

* Bring in patch to remove implicit narrowing conversions from zlib

* [PATCH] Make zlib compile clean against C4244 clang equivalent is
 "implicit-int-conversion" warning

The change to deflate.c is legal because 'len' has an upper bound of
MAX_STORED, which means it fits cleanly into a 16-bit integer. So
writing out 2x 8-bit values will not result in data loss.

The change to trees.c is legal because within this loop, 'count' is
intended to have an upper bound of 138, with the target assignment
only executing if 'count' is bounded by 4. Neither the 'count' local
in isolation nor the addition that's part of the target line is
expected to result in integer overflow. But even if it did, that's a
matter for a different warning code and doesn't impact the correctness
of the narrowing cast being considered here.

Author: Levi Broderick <levib@microsoft.com>

* Update cgmanifest.json and THIRD-PARTY-NOTICES.TXT

* Bring back patches comment, remove unnecessary file removal comment.

THIRD-PARTY-NOTICES.TXT

@@ -73,7 +73,7 @@ https://github.com/madler/zlib
 https://zlib.net/zlib_license.html
 
 /* zlib.h -- interface of the 'zlib' general purpose compression library
-  version 1.2.13, October 13th, 2022
+  version 1.3.1, January 22nd, 2024
 
   Copyright (C) 1995-2022 Jean-loup Gailly and Mark Adler
 

src/native/external/cgmanifest.json

@@ -45,7 +45,7 @@
                 "Type": "git",
                 "Git": {
                     "RepositoryUrl": "https://github.com/madler/zlib",
-          "CommitHash": "04f42ceca40f73e2978b50e93806c2a18c1281fc"
+          "CommitHash": "51b7f2abdade71cd9bb0e7a373ef2610ec6f9daf"
                 }
             },
             "DevelopmentDependency": false

src/native/external/patches/zlib/0001-Make-zlib-compile-clean-against-C4244.patch

@@ -0,0 +1,57 @@
+From 86d96652ddd60f61dc7b0c94b601f6d156d34632 Mon Sep 17 00:00:00 2001
+From: Levi Broderick <levib@microsoft.com>
+Date: Mon, 28 Aug 2023 15:26:38 -0700
+Subject: [PATCH] Make zlib compile clean against C4244 clang equivalent is
+ "implicit-int-conversion" warning
+
+The change to deflate.c is legal because 'len' has an upper bound of
+MAX_STORED, which means it fits cleanly into a 16-bit integer. So
+writing out 2x 8-bit values will not result in data loss.
+
+The change to trees.c is legal because within this loop, 'count' is
+intended to have an upper bound of 138, with the target assignment
+only executing if 'count' is bounded by 4. Neither the 'count' local
+in isolation nor the addition that's part of the target line is
+expected to result in integer overflow. But even if it did, that's a
+matter for a different warning code and doesn't impact the correctness
+of the narrowing cast being considered here.
+---
+ src/native/external/zlib/deflate.c | 8 ++++----
+ src/native/external/zlib/trees.c   | 2 +-
+ 2 files changed, 5 insertions(+), 5 deletions(-)
+
+diff --git a/src/native/external/zlib/deflate.c b/src/native/external/zlib/deflate.c
+index d2e1106ef5d..b7636639754 100644
+--- a/src/native/external/zlib/deflate.c
++++ b/src/native/external/zlib/deflate.c
+@@ -1738,10 +1738,10 @@ local block_state deflate_stored(s, flush)
+         _tr_stored_block(s, (char *)0, 0L, last);
+
+         /* Replace the lengths in the dummy stored block with len. */
+-        s->pending_buf[s->pending - 4] = len;
+-        s->pending_buf[s->pending - 3] = len >> 8;
+-        s->pending_buf[s->pending - 2] = ~len;
+-        s->pending_buf[s->pending - 1] = ~len >> 8;
++        s->pending_buf[s->pending - 4] = (Bytef)len;
++        s->pending_buf[s->pending - 3] = (Bytef)(len >> 8);
++        s->pending_buf[s->pending - 2] = (Bytef)~len;
++        s->pending_buf[s->pending - 1] = (Bytef)(~len >> 8);
+
+         /* Write the stored block header bytes. */
+         flush_pending(s->strm);
+diff --git a/src/native/external/zlib/trees.c b/src/native/external/zlib/trees.c
+index 5f305c47221..8a3eec559e5 100644
+--- a/src/native/external/zlib/trees.c
++++ b/src/native/external/zlib/trees.c
+@@ -721,7 +721,7 @@ local void scan_tree(s, tree, max_code)
+         if (++count < max_count && curlen == nextlen) {
+             continue;
+         } else if (count < min_count) {
+-            s->bl_tree[curlen].Freq += count;
++            s->bl_tree[curlen].Freq += (ush)count;
+         } else if (curlen != 0) {
+             if (curlen != prevlen) s->bl_tree[curlen].Freq++;
+             s->bl_tree[REP_3_6].Freq++;
+-- 
+2.42.0.windows.1
+

src/native/external/zlib-version.txt

@@ -1,15 +1,9 @@
-v1.2.13
-(04f42ceca40f73e2978b50e93806c2a18c1281fc)
+v1.3.1
+(51b7f2abdade71cd9bb0e7a373ef2610ec6f9daf)
 
-https://github.com/madler/zlib/releases/tag/v1.2.13
+https://github.com/madler/zlib/releases/tag/v1.3.1
 
 We have removed zlib.3.pdf from our local copy, as it is a binary file which is
 not needed for our compilation.
 
-We have also cherry-picked into our local copy:
-
-- https://github.com/madler/zlib/commit/e554695638228b846d49657f31eeff0ca4680e8a
-
-  This patch only affects memLevel 9 compression. .NET doesn't currently use this
-  memLevel, but we'll take this patch out of an abundance of caution just in case
-  we enable this functionality in a future release.
+We have also applied the custom patches under the patches/zlib folder.

src/native/external/zlib/CMakeLists.txt

@@ -1,9 +1,11 @@
-cmake_minimum_required(VERSION 2.4.4)
+cmake_minimum_required(VERSION 2.4.4...3.15.0)
 set(CMAKE_ALLOW_LOOSE_LOOP_CONSTRUCTS ON)
 
 project(zlib C)
 
-set(VERSION "1.2.13")
+set(VERSION "1.3.1")
+
+option(ZLIB_BUILD_EXAMPLES "Enable Zlib Examples" ON)
 
 set(INSTALL_BIN_DIR "${CMAKE_INSTALL_PREFIX}/bin" CACHE PATH "Installation directory for executables")
 set(INSTALL_LIB_DIR "${CMAKE_INSTALL_PREFIX}/lib" CACHE PATH "Installation directory for libraries")
@@ -148,7 +150,9 @@ if(MINGW)
 endif(MINGW)
 
 add_library(zlib SHARED ${ZLIB_SRCS} ${ZLIB_DLL_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS})
+target_include_directories(zlib PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR})
 add_library(zlibstatic STATIC ${ZLIB_SRCS} ${ZLIB_PUBLIC_HDRS} ${ZLIB_PRIVATE_HDRS})
+target_include_directories(zlibstatic PUBLIC ${CMAKE_CURRENT_BINARY_DIR} ${CMAKE_CURRENT_SOURCE_DIR})
 set_target_properties(zlib PROPERTIES DEFINE_SYMBOL ZLIB_DLL)
 set_target_properties(zlib PROPERTIES SOVERSION 1)
 
@@ -166,7 +170,7 @@ endif()
 if(UNIX)
     # On unix-like platforms the library is almost always called libz
    set_target_properties(zlib zlibstatic PROPERTIES OUTPUT_NAME z)
-   if(NOT APPLE)
+   if(NOT APPLE AND NOT(CMAKE_SYSTEM_NAME STREQUAL AIX))
      set_target_properties(zlib PROPERTIES LINK_FLAGS "-Wl,--version-script,\"${CMAKE_CURRENT_SOURCE_DIR}/zlib.map\"")
    endif()
 elseif(BUILD_SHARED_LIBS AND WIN32)
@@ -193,21 +197,22 @@ endif()
 #============================================================================
 # Example binaries
 #============================================================================
-
-add_executable(example test/example.c)
-target_link_libraries(example zlib)
-add_test(example example)
-
-add_executable(minigzip test/minigzip.c)
-target_link_libraries(minigzip zlib)
-
-if(HAVE_OFF64_T)
-    add_executable(example64 test/example.c)
-    target_link_libraries(example64 zlib)
-    set_target_properties(example64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64")
-    add_test(example64 example64)
-
-    add_executable(minigzip64 test/minigzip.c)
-    target_link_libraries(minigzip64 zlib)
-    set_target_properties(minigzip64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64")
+if(ZLIB_BUILD_EXAMPLES)
+    add_executable(example test/example.c)
+    target_link_libraries(example zlib)
+    add_test(example example)
+
+    add_executable(minigzip test/minigzip.c)
+    target_link_libraries(minigzip zlib)
+
+    if(HAVE_OFF64_T)
+        add_executable(example64 test/example.c)
+        target_link_libraries(example64 zlib)
+        set_target_properties(example64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64")
+        add_test(example64 example64)
+
+        add_executable(minigzip64 test/minigzip.c)
+        target_link_libraries(minigzip64 zlib)
+        set_target_properties(minigzip64 PROPERTIES COMPILE_FLAGS "-D_FILE_OFFSET_BITS=64")
+    endif()
 endif()

src/native/external/zlib/ChangeLog

@@ -1,6 +1,34 @@
 
                 ChangeLog file for zlib
 
+Changes in 1.3.1 (22 Jan 2024)
+- Reject overflows of zip header fields in minizip
+- Fix bug in inflateSync() for data held in bit buffer
+- Add LIT_MEM define to use more memory for a small deflate speedup
+- Fix decision on the emission of Zip64 end records in minizip
+- Add bounds checking to ERR_MSG() macro, used by zError()
+- Neutralize zip file traversal attacks in miniunz
+- Fix a bug in ZLIB_DEBUG compiles in check_match()
+- Various portability and appearance improvements
+
+Changes in 1.3 (18 Aug 2023)
+- Remove K&R function definitions and zlib2ansi
+- Fix bug in deflateBound() for level 0 and memLevel 9
+- Fix bug when gzungetc() is used immediately after gzopen()
+- Fix bug when using gzflush() with a very small buffer
+- Fix crash when gzsetparams() attempted for transparent write
+- Fix test/example.c to work with FORCE_STORED
+- Rewrite of zran in examples (see zran.c version history)
+- Fix minizip to allow it to open an empty zip file
+- Fix reading disk number start on zip64 files in minizip
+- Fix logic error in minizip argument processing
+- Add minizip testing to Makefile
+- Read multiple bytes instead of byte-by-byte in minizip unzip.c
+- Add memory sanitizer to configure (--memory)
+- Various portability improvements
+- Various documentation improvements
+- Various spelling and typo corrections
+
 Changes in 1.2.13 (13 Oct 2022)
 - Fix configure issue that discarded provided CC definition
 - Correct incorrect inputs provided to the CRC functions
@@ -1445,7 +1473,7 @@ Changes in 0.99 (27 Jan 96)
 - fix typo in Make_vms.com (f$trnlnm -> f$getsyi)
 - in fcalloc, normalize pointer if size > 65520 bytes
 - don't use special fcalloc for 32 bit Borland C++
-- use STDC instead of __GO32__ to avoid redeclaring exit, calloc, etc...
+- use STDC instead of __GO32__ to avoid redeclaring exit, calloc, etc.
 - use Z_BINARY instead of BINARY
 - document that gzclose after gzdopen will close the file
 - allow "a" as mode in gzopen

src/native/external/zlib/FAQ

@@ -4,7 +4,7 @@
 
 If your question is not there, please check the zlib home page
 http://zlib.net/ which may have more recent information.
-The lastest zlib FAQ is at http://zlib.net/zlib_faq.html
+The latest zlib FAQ is at http://zlib.net/zlib_faq.html
 
 
  1. Is zlib Y2K-compliant?
@@ -14,8 +14,7 @@ The lastest zlib FAQ is at http://zlib.net/zlib_faq.html
  2. Where can I get a Windows DLL version?
 
     The zlib sources can be compiled without change to produce a DLL.  See the
-    file win32/DLL_FAQ.txt in the zlib distribution.  Pointers to the
-    precompiled DLL are found in the zlib web site at http://zlib.net/ .
+    file win32/DLL_FAQ.txt in the zlib distribution.
 
  3. Where can I get a Visual Basic interface to zlib?
 

src/native/external/zlib/Makefile.in

@@ -1,5 +1,5 @@
 # Makefile for zlib
-# Copyright (C) 1995-2017 Jean-loup Gailly, Mark Adler
+# Copyright (C) 1995-2024 Jean-loup Gailly, Mark Adler
 # For conditions of distribution and use, see copyright notice in zlib.h
 
 # To compile and test, type:
@@ -22,13 +22,13 @@ CFLAGS=-O
 
 SFLAGS=-O
 LDFLAGS=
-TEST_LDFLAGS=$(LDFLAGS) -L. libz.a
+TEST_LIBS=-L. libz.a
 LDSHARED=$(CC)
 CPP=$(CC) -E
 
 STATICLIB=libz.a
 SHAREDLIB=libz.so
-SHAREDLIBV=libz.so.1.2.13
+SHAREDLIBV=libz.so.1.3.1
 SHAREDLIBM=libz.so.1
 LIBS=$(STATICLIB) $(SHAREDLIBV)
 
@@ -282,10 +282,10 @@ placebo $(SHAREDLIBV): $(PIC_OBJS) libz.a
 	-@rmdir objs
 
 example$(EXE): example.o $(STATICLIB)
-	$(CC) $(CFLAGS) -o $@ example.o $(TEST_LDFLAGS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ example.o $(TEST_LIBS)
 
 minigzip$(EXE): minigzip.o $(STATICLIB)
-	$(CC) $(CFLAGS) -o $@ minigzip.o $(TEST_LDFLAGS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ minigzip.o $(TEST_LIBS)
 
 examplesh$(EXE): example.o $(SHAREDLIBV)
 	$(CC) $(CFLAGS) -o $@ example.o $(LDFLAGS) -L. $(SHAREDLIBV)
@@ -294,10 +294,10 @@ minigzipsh$(EXE): minigzip.o $(SHAREDLIBV)
 	$(CC) $(CFLAGS) -o $@ minigzip.o $(LDFLAGS) -L. $(SHAREDLIBV)
 
 example64$(EXE): example64.o $(STATICLIB)
-	$(CC) $(CFLAGS) -o $@ example64.o $(TEST_LDFLAGS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ example64.o $(TEST_LIBS)
 
 minigzip64$(EXE): minigzip64.o $(STATICLIB)
-	$(CC) $(CFLAGS) -o $@ minigzip64.o $(TEST_LDFLAGS)
+	$(CC) $(CFLAGS) $(LDFLAGS) -o $@ minigzip64.o $(TEST_LIBS)
 
 install-libs: $(LIBS)
 	-@if [ ! -d $(DESTDIR)$(exec_prefix)  ]; then mkdir -p $(DESTDIR)$(exec_prefix); fi
@@ -359,8 +359,14 @@ zconf.h.cmakein: $(SRCDIR)zconf.h.in
 zconf: $(SRCDIR)zconf.h.in
 	cp -p $(SRCDIR)zconf.h.in zconf.h
 
+minizip-test: static
+	cd contrib/minizip && { CC="$(CC)" CFLAGS="$(CFLAGS)" $(MAKE) test ; cd ../.. ; }
+
+minizip-clean:
+	cd contrib/minizip && { $(MAKE) clean ; cd ../.. ; }
+
 mostlyclean: clean
-clean:
+clean: minizip-clean
 	rm -f *.o *.lo *~ \
 	   example$(EXE) minigzip$(EXE) examplesh$(EXE) minigzipsh$(EXE) \
 	   example64$(EXE) minigzip64$(EXE) \

src/native/external/zlib/README

@@ -1,6 +1,6 @@
 ZLIB DATA COMPRESSION LIBRARY
 
-zlib 1.2.13 is a general purpose data compression library.  All the code is
+zlib 1.3.1 is a general purpose data compression library.  All the code is
 thread safe.  The data format used by the zlib library is described by RFCs
 (Request for Comments) 1950 to 1952 in the files
 http://tools.ietf.org/html/rfc1950 (zlib format), rfc1951 (deflate format) and
@@ -29,18 +29,17 @@ PLEASE read the zlib FAQ http://zlib.net/zlib_faq.html before asking for help.
 
 Mark Nelson <markn@ieee.org> wrote an article about zlib for the Jan.  1997
 issue of Dr.  Dobb's Journal; a copy of the article is available at
-http://marknelson.us/1997/01/01/zlib-engine/ .
+https://marknelson.us/posts/1997/01/01/zlib-engine.html .
 
-The changes made in version 1.2.13 are documented in the file ChangeLog.
+The changes made in version 1.3.1 are documented in the file ChangeLog.
 
 Unsupported third party contributions are provided in directory contrib/ .
 
-zlib is available in Java using the java.util.zip package, documented at
-http://java.sun.com/developer/technicalArticles/Programming/compression/ .
+zlib is available in Java using the java.util.zip package. Follow the API
+Documentation link at: https://docs.oracle.com/search/?q=java.util.zip .
 
-A Perl interface to zlib written by Paul Marquess <pmqs@cpan.org> is available
-at CPAN (Comprehensive Perl Archive Network) sites, including
-http://search.cpan.org/~pmqs/IO-Compress-Zlib/ .
+A Perl interface to zlib and bzip2 written by Paul Marquess <pmqs@cpan.org>
+can be found at https://github.com/pmqs/IO-Compress .
 
 A Python interface to zlib written by A.M. Kuchling <amk@amk.ca> is
 available in Python 1.5 and later versions, see
@@ -64,7 +63,7 @@ Notes for some targets:
 - zlib doesn't work with gcc 2.6.3 on a DEC 3000/300LX under OSF/1 2.1 it works
   when compiled with cc.
 
-- On Digital Unix 4.0D (formely OSF/1) on AlphaServer, the cc option -std1 is
+- On Digital Unix 4.0D (formerly OSF/1) on AlphaServer, the cc option -std1 is
   necessary to get gzprintf working correctly. This is done by configure.
 
 - zlib doesn't work on HP-UX 9.05 with some versions of /bin/cc. It works with
@@ -84,7 +83,7 @@ Acknowledgments:
 
 Copyright notice:
 
- (C) 1995-2022 Jean-loup Gailly and Mark Adler
+ (C) 1995-2024 Jean-loup Gailly and Mark Adler
 
   This software is provided 'as-is', without any express or implied
   warranty.  In no event will the authors be held liable for any damages