Deflate failures confirmed in downstreams using 1.2.10 / 1.2.11 #206
Comments
|
Isolating it to that commit points to a problem in the application code, where it must be inadvertently stomping on the deflate state, e.g. with an out-of-bounds write into memory, or perhaps that the code is trying to use the deflate state after it has been closed. The only change that commit made was to check the integrity of the deflate structure more thoroughly on each call of a deflate* function. |
|
Hi @madler, If tested every change on that commit and figure out these two ifs which returned false before the commit started to return true afterwards: Checking what is now being checked on May you guide me to better debug it? What is the issue with those two 'strm' being equal, and how the erlang code could have used it in a wrong way? |
|
The Erlang VM does a shallow memcpy of z_stream and commit b516b4b Seems inflateCopy() is the solution and the correct way to do it. /Sverker, Erlang/OTP @ Ericsson |
|
Thank you for the resolution. I will close this as it is not a zlib issue. |
|
@madler thanks for your help! |
|
I am developer of this SDL game. Here is zip archive with example: http://download.evolonline.org/manaplus/bug/bug.zip Probably error in physfs, and i will report same issue to physfs developer. |
|
It was same issue in physfs. Replacing memcpy to inflateCopy fixed issues |
|
@4144 and don't forget to deallocate abandoned z_stream with inflateEnd. |
|
Of course, if you're just going to copy it and then abandon the original, you could instead simply transfer the original. |
|
I think it's ok only with replacing memcpy to inflateCopy. But i not familar with zlib api. Here is code with bug: https://hg.icculus.org/icculus/physfs/file/34ebe997c5c0/archivers/zip.c#l330 Physfs devs still not responding... |
|
@madler I didn't find any support in the API to "transfer" a z_stream. |
|
@4144 inflateCopy will give you two independent z_stream's and you need to deallocate them both, the original and the copy. |
|
@madler Maybe I misunderstood you. I have a stack allocated z_stream and I need to store it in a heap allocated structure i order to return back and do other work for a while. By transfer I thought you ment an optimized "inflateMove" operation that reuses (transfer) the internal_state to a new z_stream. |
|
By "transfer" I mean simply provide the pointer. It sounded like someone was copying an inflate state, destroying the original, and proceeding to use the copy, when they could have just used the original instead without ever copying. I understand from your post that the state is on the stack of a routine that is returning, and so needs to be moved to a safer place. Then it makes sense to copy and immediately destroy the original. Though you could have created it on the heap in the first place. |
|
@sverker thanks, physfs patch updated. |
The requirements for an ideal integration of a project in oss-fuzz are: https://github.com/google/oss-fuzz/blob/master/docs/ideal_integration.md - Is maintained by code owners in their RCS (Git, SVN, etc). - Is built with the rest of the tests - no bit rot! - Has a seed corpus with good code coverage. - Is continuously tested on the seed corpus with ASan/UBSan/MSan - Is fast and has no OOMs - Has a fuzzing dictionary, if applicable
Sorry this is not a more helpful bug report as I don't know the nature of the issue or have a simple test program but I thought I should leave it here in case it helps others.
I found a problem this week in the Erlang
dialyzerprogram on Arch Linux; it was not able to recognize its own file formats after an update. I isolated the failure to the recent zlib update and then found someone else from the Arch forum had also found a zlib problem in an SDL game.@michelboaventura had also seen the
dialyzerissue using 1.2.11 on gentoo, after hearing it was linked to zlib he was kind enough to bisect the zlib commit history and isolated the fault to b516b4b (this is reported in this thread). The same commit was confirmed to be where the issue was introduced in the manaplus game mentioned in the Arch thread.The text was updated successfully, but these errors were encountered: