[PATCH] lib: zlib: Use post-increment only in inffast.c.

[Tom Rini]

On Sun, Sep 11, 2022 at 04:16:12PM +0300, Sergei Antonov wrote:
> On Sun, 11 Sept 2022 at 11:47, Jit Loon Lim <jit.loon.lim at intel.com> wrote:
> >
> > From: Chin Liang See <chin.liang.see at intel.com>
> >
> > An old inffast.c optimization turns out to not be optimal anymore
> > with modern compilers, and furthermore was not compliant with the
> > C standard, for which decrementing a pointer before its allocated
> > memory is undefined. Per the recommendation of a security audit of
> > the zlib code by Trail of Bits and TrustInSoft, in support of the
> > Mozilla Foundation, this "optimization" was removed, in order to
> > avoid the possibility of undefined behavior.
> 
> A similar change was merged into an official zlib in 2016:
> https://github.com/madler/zlib/commit/9aaec95e82117

As this commit message is copy/pasted from zlib, we need to better
reflect that this is a port of the above mentioned commit to U-Boot. We
should also mention that this is a fix for CVE-2016-9841 which I assume
is why someone within Intel found and made this change. Given
2e2e784de060 ("zlib: Port fix for CVE-2018-25032 to U-Boot") I wonder if
there are any other fixes that need to be posted / addressed?

> It makes me wonder can zlib be used as an external project in U-Boot?
> To be up to date with zlib development.

Given the work to port the code to our codebase, no, not directly. It's
an infrequently changing enough code base that it would make more sense
I think to either re-sync (and compare our changes vs 1.2.5, which is
when we last did this) or check over the commit log between then and now
for any relevant changes to pick up.

-- 
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20220911/603d40ec/attachment.sig>