Properly initialize deflate_state instance

Fix use of uninitialized memory reported by oss-fuzz (and confirmed by valgrind@aarch64) by properly setting deflate_state internal member (i.e. s->prev) to a valid value before use. For details, see: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 Bug: 1032721 Change-Id: I6c7b2e87e81b8ccc6c39298fd3c704befd797b96 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015667 Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org> Reviewed-by: Chris Blume <cblume@chromium.org> Reviewed-by: vikas soni <vikassoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#734278}

Properly initialize deflate_state instance
Fix use of uninitialized memory reported by oss-fuzz (and confirmed by valgrind@aarch64) by properly setting deflate_state internal member (i.e. s->prev) to a valid value before use. For details, see: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 Bug: 1032721 Change-Id: I6c7b2e87e81b8ccc6c39298fd3c704befd797b96 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2015667 Commit-Queue: Adenilson Cavalcanti <cavalcantii@chromium.org> Reviewed-by: Chris Blume <cblume@chromium.org> Reviewed-by: vikas soni <vikassoni@chromium.org> Cr-Commit-Position: refs/heads/master@{#734278}
2d43e0d3 · Adenilson Cavalcanti · Commit Bot · f11817d3 · 2d43e0d3 · 2d43e0d3
Commit 2d43e0d3 authored Jan 23, 2020 by Adenilson Cavalcanti Committed by Commit Bot Jan 23, 2020
Hide whitespace changes
Inline Side-by-side

Showing with 19 additions and 0 deletions

third_party/zlib/deflate.c third_party/zlib/deflate.c +4 -0

third_party/zlib/patches/0003-uninitializedjump.patch third_party/zlib/patches/0003-uninitializedjump.patch +15 -0

No files found.
--- a/third_party/zlib/deflate.c
+++ b/third_party/zlib/deflate.c
@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
                                 s->w_size + window_padding,
                                 2*sizeof(Byte));
    s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    /* Avoid use of uninitialized value, see:
+     * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360
+     */
+    memset(s->prev, 0, s->w_size * sizeof(Pos));
    s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));

    s->high_water = 0;      /* nothing written to s->window yet */

--- a/third_party/zlib/patches/0003-uninitializedjump.patch
+++ b/third_party/zlib/patches/0003-uninitializedjump.patch
+diff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c
+index a39e62787862..c6053fd1c7ea 100644
+--- a/third_party/zlib/deflate.c
+++ b/third_party/zlib/deflate.c
+@@ -318,6 +318,10 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy,
+                                  s->w_size + window_padding,
+                                  2*sizeof(Byte));
+     s->prev   = (Posf *)  ZALLOC(strm, s->w_size, sizeof(Pos));
+    /* Avoid use of uninitialized value, see:
+     * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360
+     */
+    memset(s->prev, 0, s->w_size * sizeof(Pos));
+     s->head   = (Posf *)  ZALLOC(strm, s->hash_size, sizeof(Pos));
+ 
+     s->high_water = 0;      /* nothing written to s->window yet */