Handle invalid windowBits in init functions #1293

stoeckmann · 2022-06-13T16:54:03Z

Negative windowBits arguments are eventually turned positive in
deflateInit2_ and inflateInit2_ (more precisely in inflateReset2).
Such values are used to indicate that raw deflate/inflate should
be performed.

If a user supplies INT32_MIN for windowBits, the code will perform
-INT32_MIN which does not fit into int32_t. In fact, this is
undefined behavior in C and should be avoided.

Clearly this is a user error, but given the careful validation of
input arguments a few lines later in deflateInit2_ I think this
might be of interest.

Proof of Concept:

Compile zlib-ng with gcc -ftrapv or -fsanitize=undefined
Compile and run this program:

 #include <limits.h>
 #include <stdio.h>
 #include <zlib-ng.h>

 int main(void) {
  zng_stream de_stream = { 0 }, in_stream = { 0 };
  int result;

  result = zng_deflateInit2(&de_stream, 0, Z_DEFLATED, INT32_MIN,
      MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY);
  printf("zng_deflateInit2: %d\n", result);

  result = zng_inflateInit2(&in_stream, INT32_MIN);
  printf("zng_inflateInit2: %d\n", result);

  return 0;
 }

Negative windowBits arguments are eventually turned positive in deflateInit2_ and inflateInit2_ (more precisely in inflateReset2). Such values are used to indicate that raw deflate/inflate should be performed. If a user supplies INT32_MIN for windowBits, the code will perform -INT32_MIN which does not fit into int32_t. In fact, this is undefined behavior in C and should be avoided. Clearly this is a user error, but given the careful validation of input arguments a few lines later in deflateInit2_ I think this might be of interest. Proof of Concept: - Compile zlib-ng with gcc -ftrapv or -fsanitize=undefined - Compile and run this program: ``` #include <limits.h> #include <stdio.h> #include <zlib-ng.h> int main(void) { zng_stream de_stream = { 0 }, in_stream = { 0 }; int result; result = zng_deflateInit2(&de_stream, 0, Z_DEFLATED, INT32_MIN, MAX_MEM_LEVEL, Z_DEFAULT_STRATEGY); printf("zng_deflateInit2: %d\n", result); result = zng_inflateInit2(&in_stream, INT32_MIN); printf("zng_inflateInit2: %d\n", result); return 0; } ```

nmoinvaz · 2022-06-13T23:18:06Z

It looks good to me, but need @Dead2 to allow workflow approval.

codecov · 2022-06-14T06:57:02Z

Codecov Report

Merging #1293 (6c5417a) into develop (a7598c1) will decrease coverage by 0.02%.
The diff coverage is 50.00%.

@@             Coverage Diff             @@
##           develop    #1293      +/-   ##
===========================================
- Coverage    86.59%   86.57%   -0.03%     
===========================================
  Files          124      124              
  Lines        10533    10537       +4     
  Branches      2622     2624       +2     
===========================================
+ Hits          9121     9122       +1     
- Misses        1056     1059       +3     
  Partials       356      356

Flag	Coverage Δ
macos_clang	`33.33% <ø> (ø)`
macos_gcc	`73.80% <0.00%> (-0.02%)`	⬇️
ubuntu_clang	`85.40% <50.00%> (-0.03%)`	⬇️
ubuntu_clang_debug	`85.04% <50.00%> (-0.02%)`	⬇️
ubuntu_clang_inflate_allow_invalid_dist	`85.11% <50.00%> (-0.03%)`	⬇️
ubuntu_clang_inflate_strict	`85.22% <50.00%> (-0.16%)`	⬇️
ubuntu_clang_mmap	`85.54% <50.00%> (-0.03%)`	⬇️
ubuntu_clang_pigz	`40.21% <0.00%> (-0.04%)`	⬇️
ubuntu_clang_pigz_no_optim	`41.66% <0.00%> (-0.05%)`	⬇️
ubuntu_clang_pigz_no_threads	`39.80% <0.00%> (-0.04%)`	⬇️
ubuntu_clang_reduced_mem	`85.79% <50.00%> (+0.11%)`	⬆️
ubuntu_gcc	`75.65% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_aarch64	`77.50% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_aarch64_compat_no_opt	`75.62% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_aarch64_no_acle	`76.30% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_aarch64_no_neon	`76.20% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armhf	`77.52% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armhf_compat_no_opt	`75.60% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armhf_no_acle	`77.52% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armhf_no_neon	`77.30% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armsf	`77.17% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_armsf_compat_no_opt	`75.27% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_benchmark	`74.05% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_compat_no_opt	`76.83% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_compat_sprefix	`73.98% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_m32	`73.75% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_mingw_i686	`0.00% <0.00%> (ø)`
ubuntu_gcc_mingw_x86_64	`0.00% <0.00%> (ø)`
ubuntu_gcc_no_avx2	`74.86% <0.00%> (+0.04%)`	⬆️
ubuntu_gcc_no_ctz	`74.86% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_no_ctzll	`74.89% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_no_pclmulqdq	`74.06% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_no_sse2	`75.01% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_no_sse4	`74.70% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_o1	`74.38% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_osb	`∅ <ø> (∅)`
ubuntu_gcc_pigz	`38.14% <0.00%> (-0.13%)`	⬇️
ubuntu_gcc_pigz_aarch64	`39.22% <0.00%> (-0.09%)`	⬇️
ubuntu_gcc_ppc	`73.66% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_ppc64	`74.43% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_ppc64le	`74.41% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_ppc_no_power8	`74.61% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_s390x	`74.82% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_s390x_dfltcc	`72.21% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_s390x_dfltcc_compat	`73.75% <0.00%> (-0.02%)`	⬇️
ubuntu_gcc_s390x_no_crc32	`74.60% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_sparc64	`74.71% <0.00%> (-0.03%)`	⬇️
ubuntu_gcc_sprefix	`73.78% <0.00%> (+0.12%)`	⬆️
win64_gcc	`73.84% <0.00%> (-0.03%)`	⬇️
win64_gcc_compat_no_opt	`74.35% <0.00%> (+<0.01%)`	⬆️

Flags with carried forward coverage won't be shown. Click here to find out more.

Impacted Files	Coverage Δ
deflate.c	`83.20% <50.00%> (-0.09%)`	⬇️
inflate.c	`93.58% <50.00%> (-0.10%)`	⬇️
arch/x86/adler32_avx512_tpl.h	`97.87% <0.00%> (-2.13%)`	⬇️

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update a7598c1...6c5417a. Read the comment docs.

Changes since 2.0.6: - Fix CVE-2022-37434 #1328 - Fix chunkmemset #1196 - Fix deflateBound too small #1236 - Fix Z_SOLO #1263 - Fix ACLE variant of crc32 #1274 - Fix inflateBack #1311 - Fix deflate_quick windowsize #1431 - Fix DFLTCC bugs related to adler32 #1349 and #1390 - Fix warnings #1194 #1312 #1362 - MacOS build fix #1198 - Add invalid windowBits handling #1293 - Support for Force TZCNT #1186 - Support for aligned_alloc() #1360 - Minideflate improvements #1175 #1238 - Dont use unaligned access for memcpy #1309 - Build system #1209 #1233 #1267 #1273 #1278 #1292 #1316 #1318 #1365 - Test improvements #1208 #1227 #1241 #1353 - Cleanup #1266 - Documentation #1205 #1359 - Misc improvements #1294 #1297 #1306 #1344 #1348 - Backported zlib fixes - Backported CI workflows from Develop branch

nmoinvaz added the Sanitizer issue label Jun 14, 2022

Dead2 approved these changes Jun 14, 2022

View reviewed changes

Dead2 merged commit 956ff05 into zlib-ng:develop Jun 16, 2022

Dead2 mentioned this pull request Dec 27, 2022

Stable release 2.0.7 #1393

Merged

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Handle invalid windowBits in init functions #1293

Handle invalid windowBits in init functions #1293

Uh oh!

stoeckmann commented Jun 13, 2022

Uh oh!

nmoinvaz commented Jun 13, 2022

Uh oh!

codecov bot commented Jun 14, 2022 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Uh oh!

Handle invalid windowBits in init functions #1293

Handle invalid windowBits in init functions #1293

Uh oh!

Conversation

stoeckmann commented Jun 13, 2022

Uh oh!

nmoinvaz commented Jun 13, 2022

Uh oh!

codecov bot commented Jun 14, 2022 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

codecov bot commented Jun 14, 2022 •

edited

Loading