1 files changed, 9 insertions, 9 deletions
diff --git a/FAQ b/FAQ
index df12668..b6b11bd 100644
--- a/FAQ
+++ b/FAQ
@@ -258,15 +258,15 @@ The latest zlib FAQ is at http://zlib.net/zlib_faq.html
 33. Does zlib have any security vulnerabilities?
    The only one that we are aware of is potentially in gzprintf().  If zlib is
-    compiled to use sprintf() or vsprintf(), then there is no protection
+    compiled to use sprintf() or vsprintf(), which requires that ZLIB_INSECURE
-    against a buffer overflow of an 8K string space (or other value as set by
+    be defined, then there is no protection against a buffer overflow of an 8K
-    gzbuffer()), other than the caller of gzprintf() assuring that the output
+    string space (or other value as set by gzbuffer()), other than the caller
-    will not exceed 8K.  On the other hand, if zlib is compiled to use
+    of gzprintf() assuring that the output will not exceed 8K.  On the other
-    snprintf() or vsnprintf(), which should normally be the case, then there is
+    hand, if zlib is compiled to use snprintf() or vsnprintf(), which should
-    no vulnerability.  The ./configure script will display warnings if an
+    normally be the case, then there is no vulnerability.  The ./configure
-    insecure variation of sprintf() will be used by gzprintf().  Also the
+    script will display warnings if an insecure variation of sprintf() will be
-    zlibCompileFlags() function will return information on what variant of
+    used by gzprintf().  Also the zlibCompileFlags() function will return
-    sprintf() is used by gzprintf().
+    information on what variant of sprintf() is used by gzprintf().
    If you don't have snprintf() or vsnprintf() and would like one, you can
    find a good portable implementation in stb_sprintf.h here:

diff --git a/FAQ b/FAQ index df12668..b6b11bd 100644 --- a/FAQ +++ b/FAQ
@@ -258,15 +258,15 @@ The latest zlib FAQ is at http://zlib.net/zlib_faq.html
258	33. Does zlib have any security vulnerabilities?	258	33. Does zlib have any security vulnerabilities?
259		259
260	The only one that we are aware of is potentially in gzprintf(). If zlib is	260	The only one that we are aware of is potentially in gzprintf(). If zlib is
261	compiled to use sprintf() or vsprintf(), then there is no protection	261	compiled to use sprintf() or vsprintf(), which requires that ZLIB_INSECURE
262	against a buffer overflow of an 8K string space (or other value as set by	262	be defined, then there is no protection against a buffer overflow of an 8K
263	gzbuffer()), other than the caller of gzprintf() assuring that the output	263	string space (or other value as set by gzbuffer()), other than the caller
264	will not exceed 8K. On the other hand, if zlib is compiled to use	264	of gzprintf() assuring that the output will not exceed 8K. On the other
265	snprintf() or vsnprintf(), which should normally be the case, then there is	265	hand, if zlib is compiled to use snprintf() or vsnprintf(), which should
266	no vulnerability. The ./configure script will display warnings if an	266	normally be the case, then there is no vulnerability. The ./configure
267	insecure variation of sprintf() will be used by gzprintf(). Also the	267	script will display warnings if an insecure variation of sprintf() will be
268	zlibCompileFlags() function will return information on what variant of	268	used by gzprintf(). Also the zlibCompileFlags() function will return
269	sprintf() is used by gzprintf().	269	information on what variant of sprintf() is used by gzprintf().
270		270
271	If you don't have snprintf() or vsnprintf() and would like one, you can	271	If you don't have snprintf() or vsnprintf() and would like one, you can
272	find a good portable implementation in stb_sprintf.h here:	272	find a good portable implementation in stb_sprintf.h here: