From fd366384cf324d750596feb03be44ddf4d1e6acd Mon Sep 17 00:00:00 2001 From: Mark Adler Date: Sat, 3 Jan 2026 01:07:40 -0600 Subject: Prevent the use of insecure functions without an explicit request. ZLIB_INSECURE must be defined in order to compile code that uses the insecure functions vsprintf() or sprintf(). This would occur only if the standard vsnprintf() or snprintf() functions are not available. Providing the --insecure option to ./configure will define ZLIB_INSECURE. A flag is added to zlibCompileFlags() to indicate that gzprintf() is not implemented due to the need for the use of an insecure function, but ZLIB_INSECURE was not defined. --- FAQ | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'FAQ') diff --git a/FAQ b/FAQ index df12668..b6b11bd 100644 --- a/FAQ +++ b/FAQ @@ -258,15 +258,15 @@ The latest zlib FAQ is at http://zlib.net/zlib_faq.html 33. Does zlib have any security vulnerabilities? The only one that we are aware of is potentially in gzprintf(). If zlib is - compiled to use sprintf() or vsprintf(), then there is no protection - against a buffer overflow of an 8K string space (or other value as set by - gzbuffer()), other than the caller of gzprintf() assuring that the output - will not exceed 8K. On the other hand, if zlib is compiled to use - snprintf() or vsnprintf(), which should normally be the case, then there is - no vulnerability. The ./configure script will display warnings if an - insecure variation of sprintf() will be used by gzprintf(). Also the - zlibCompileFlags() function will return information on what variant of - sprintf() is used by gzprintf(). + compiled to use sprintf() or vsprintf(), which requires that ZLIB_INSECURE + be defined, then there is no protection against a buffer overflow of an 8K + string space (or other value as set by gzbuffer()), other than the caller + of gzprintf() assuring that the output will not exceed 8K. On the other + hand, if zlib is compiled to use snprintf() or vsnprintf(), which should + normally be the case, then there is no vulnerability. The ./configure + script will display warnings if an insecure variation of sprintf() will be + used by gzprintf(). Also the zlibCompileFlags() function will return + information on what variant of sprintf() is used by gzprintf(). If you don't have snprintf() or vsnprintf() and would like one, you can find a good portable implementation in stb_sprintf.h here: -- cgit v1.2.3-55-g6feb