Prevent the use of insecure functions without an explicit request.

ZLIB_INSECURE must be defined in order to compile code that uses the insecure functions vsprintf() or sprintf(). This would occur only if the standard vsnprintf() or snprintf() functions are not available. Providing the --insecure option to ./configure will define ZLIB_INSECURE. A flag is added to zlibCompileFlags() to indicate that gzprintf() is not implemented due to the need for the use of an insecure function, but ZLIB_INSECURE was not defined.
author: Mark Adler <git@madler.net> 2026-01-03 01:07:40 -0600
committer: Mark Adler <git@madler.net> 2026-01-05 15:03:04 -0600
commit: fd366384cf324d750596feb03be44ddf4d1e6acd (patch)
tree: 0c1d8eaa0538f8681ae0ce7a4e02ba71ff07d4fd /zlib.h
parent: cab7352dc71048f130a7d4e0b7fd773909761133 (diff)
download: zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.gz
zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.bz2
zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.zip
1 files changed, 18 insertions, 8 deletions
diff --git a/zlib.h b/zlib.h
index 2881da7..595e3cf 100644
--- a/zlib.h
+++ b/zlib.h
@@ -1239,13 +1239,14 @@ ZEXTERN uLong ZEXPORT zlibCompileFlags(void);
     21: FASTEST -- deflate algorithm with only one, lowest compression level
     22,23: 0 (reserved)
-    The sprintf variant used by gzprintf (zero is best):
+    The sprintf variant used by gzprintf (all zeros is best):
     24: 0 = vs*, 1 = s* -- 1 means limited to 20 arguments after the format
-     25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() not secure!
+     25: 0 = *nprintf, 1 = *printf -- 1 means gzprintf() is not secure!
     26: 0 = returns value, 1 = void -- 1 means inferred string length returned
+     27: 0 = gzprintf() present, 1 = not -- 1 means gzprintf() returns an error
    Remainder:
-     27-31: 0 (reserved)
+     28-31: 0 (reserved)
 */
 #ifndef Z_SOLO
@@ -1527,7 +1528,11 @@ ZEXTERN z_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size,
   gzwrite() instead.
 */
+#if defined(STDC) || defined(Z_HAVE_STDARG_H)
 ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);
+#else
+ZEXTERN int ZEXPORTVA gzprintf();
+#endif
 /*
     Convert, format, compress, and write the arguments (...) to file under
   control of the string format, as in fprintf.  gzprintf returns the number of
@@ -1535,11 +1540,16 @@ ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);
   of error.  The number of uncompressed bytes written is limited to 8191, or
   one less than the buffer size given to gzbuffer().  The caller should assure
   that this limit is not exceeded.  If it is exceeded, then gzprintf() will
-   return an error (0) with nothing written.  In this case, there may also be a
+   return an error (0) with nothing written.
-   buffer overflow with unpredictable consequences, which is possible only if
-   zlib was compiled with the insecure functions sprintf() or vsprintf(),
+     In that last case, there may also be a buffer overflow with unpredictable
-   because the secure snprintf() or vsnprintf() functions were not available.
+   consequences, which is possible only if zlib was compiled with the insecure
-   This can be determined using zlibCompileFlags().
+   functions sprintf() or vsprintf(), because the secure snprintf() and
+   vsnprintf() functions were not available. That would only be the case for
+   a non-ANSI C compiler. zlib may have been built without gzprintf() because
+   secure functions were not available and having gzprintf() be insecure was
+   not an option, in which case, gzprintf() returns Z_STREAM_ERROR. All of
+   these possibilities can be determined using zlibCompileFlags().
     If a Z_BUF_ERROR is returned, then nothing was written due to a stall on
   the non-blocking write destination.
author	Mark Adler <git@madler.net>	2026-01-03 01:07:40 -0600
committer	Mark Adler <git@madler.net>	2026-01-05 15:03:04 -0600
commit	fd366384cf324d750596feb03be44ddf4d1e6acd (patch)
tree	0c1d8eaa0538f8681ae0ce7a4e02ba71ff07d4fd /zlib.h
parent	cab7352dc71048f130a7d4e0b7fd773909761133 (diff)
download	zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.gz zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.tar.bz2 zlib-fd366384cf324d750596feb03be44ddf4d1e6acd.zip

diff --git a/zlib.h b/zlib.h index 2881da7..595e3cf 100644 --- a/zlib.h +++ b/zlib.h
@@ -1239,13 +1239,14 @@ ZEXTERN uLong ZEXPORT zlibCompileFlags(void);
1239	21: FASTEST -- deflate algorithm with only one, lowest compression level	1239	21: FASTEST -- deflate algorithm with only one, lowest compression level
1240	22,23: 0 (reserved)	1240	22,23: 0 (reserved)
1241		1241
1242	The sprintf variant used by gzprintf (zero is best):	1242	The sprintf variant used by gzprintf (all zeros is best):
1243	24: 0 = vs, 1 = s -- 1 means limited to 20 arguments after the format	1243	24: 0 = vs, 1 = s -- 1 means limited to 20 arguments after the format
1244	25: 0 = nprintf, 1 = printf -- 1 means gzprintf() not secure!	1244	25: 0 = nprintf, 1 = printf -- 1 means gzprintf() is not secure!
1245	26: 0 = returns value, 1 = void -- 1 means inferred string length returned	1245	26: 0 = returns value, 1 = void -- 1 means inferred string length returned
		1246	27: 0 = gzprintf() present, 1 = not -- 1 means gzprintf() returns an error
1246		1247
1247	Remainder:	1248	Remainder:
1248	27-31: 0 (reserved)	1249	28-31: 0 (reserved)
1249	*/	1250	*/
1250		1251
1251	#ifndef Z_SOLO	1252	#ifndef Z_SOLO
@@ -1527,7 +1528,11 @@ ZEXTERN z_size_t ZEXPORT gzfwrite(voidpc buf, z_size_t size,
1527	gzwrite() instead.	1528	gzwrite() instead.
1528	*/	1529	*/
1529		1530
		1531	#if defined(STDC) \|\| defined(Z_HAVE_STDARG_H)
1530	ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);	1532	ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);
		1533	#else
		1534	ZEXTERN int ZEXPORTVA gzprintf();
		1535	#endif
1531	/*	1536	/*
1532	Convert, format, compress, and write the arguments (...) to file under	1537	Convert, format, compress, and write the arguments (...) to file under
1533	control of the string format, as in fprintf. gzprintf returns the number of	1538	control of the string format, as in fprintf. gzprintf returns the number of
@@ -1535,11 +1540,16 @@ ZEXTERN int ZEXPORTVA gzprintf(gzFile file, const char *format, ...);
1535	of error. The number of uncompressed bytes written is limited to 8191, or	1540	of error. The number of uncompressed bytes written is limited to 8191, or
1536	one less than the buffer size given to gzbuffer(). The caller should assure	1541	one less than the buffer size given to gzbuffer(). The caller should assure
1537	that this limit is not exceeded. If it is exceeded, then gzprintf() will	1542	that this limit is not exceeded. If it is exceeded, then gzprintf() will
1538	return an error (0) with nothing written. In this case, there may also be a	1543	return an error (0) with nothing written.
1539	buffer overflow with unpredictable consequences, which is possible only if	1544
1540	zlib was compiled with the insecure functions sprintf() or vsprintf(),	1545	In that last case, there may also be a buffer overflow with unpredictable
1541	because the secure snprintf() or vsnprintf() functions were not available.	1546	consequences, which is possible only if zlib was compiled with the insecure
1542	This can be determined using zlibCompileFlags().	1547	functions sprintf() or vsprintf(), because the secure snprintf() and
		1548	vsnprintf() functions were not available. That would only be the case for
		1549	a non-ANSI C compiler. zlib may have been built without gzprintf() because
		1550	secure functions were not available and having gzprintf() be insecure was
		1551	not an option, in which case, gzprintf() returns Z_STREAM_ERROR. All of
		1552	these possibilities can be determined using zlibCompileFlags().
1543		1553
1544	If a Z_BUF_ERROR is returned, then nothing was written due to a stall on	1554	If a Z_BUF_ERROR is returned, then nothing was written due to a stall on
1545	the non-blocking write destination.	1555	the non-blocking write destination.