[PATCH] lib: zlib: Use post-increment only in inffast.c.
Peter Robinson
pbrobinson at gmail.com
Mon Sep 12 11:27:08 CEST 2022
> > > An old inffast.c optimization turns out to not be optimal anymore
> > > with modern compilers, and furthermore was not compliant with the
> > > C standard, for which decrementing a pointer before its allocated
> > > memory is undefined. Per the recommendation of a security audit of
> > > the zlib code by Trail of Bits and TrustInSoft, in support of the
> > > Mozilla Foundation, this "optimization" was removed, in order to
> > > avoid the possibility of undefined behavior.
> >
> > A similar change was merged into an official zlib in 2016:
> > https://github.com/madler/zlib/commit/9aaec95e82117
>
> As this commit message is copy/pasted from zlib, we need to better
> reflect that this is a port of the above mentioned commit to U-Boot. We
> should also mention that this is a fix for CVE-2016-9841 which I assume
> is why someone within Intel found and made this change. Given
> 2e2e784de060 ("zlib: Port fix for CVE-2018-25032 to U-Boot") I wonder if
> there are any other fixes that need to be posted / addressed?
>
> > It makes me wonder can zlib be used as an external project in U-Boot?
> > To be up to date with zlib development.
>
> Given the work to port the code to our codebase, no, not directly. It's
> an infrequently changing enough code base that it would make more sense
> I think to either re-sync (and compare our changes vs 1.2.5, which is
> when we last did this) or check over the commit log between then and now
> for any relevant changes to pick up.
Probably makes some sense to rebase to the latest every so often as
there's been some optimisations for architectures, which make be
useful for speed, and bug fixes that have landed since then plus
things like fixes for CVE-2022-37434 which I know we back port
explicitly at times.
Peter
More information about the U-Boot
mailing list