From fd366384cf324d750596feb03be44ddf4d1e6acd Mon Sep 17 00:00:00 2001
From: Mark Adler <git@madler.net>
Date: Sat, 3 Jan 2026 01:07:40 -0600
Subject: Prevent the use of insecure functions without an explicit request.

ZLIB_INSECURE must be defined in order to compile code that uses
the insecure functions vsprintf() or sprintf(). This would occur
only if the standard vsnprintf() or snprintf() functions are not
available. Providing the --insecure option to ./configure will
define ZLIB_INSECURE. A flag is added to zlibCompileFlags() to
indicate that gzprintf() is not implemented due to the need for
the use of an insecure function, but ZLIB_INSECURE was not
defined.
---
 zutil.c | 48 ++++++++++++++++++++++++++++--------------------
 1 file changed, 28 insertions(+), 20 deletions(-)

(limited to 'zutil.c')

diff --git a/zutil.c b/zutil.c
index b1c5d2d..6e8a369 100644
--- a/zutil.c
+++ b/zutil.c
@@ -86,28 +86,36 @@ uLong ZEXPORT zlibCompileFlags(void) {
     flags += 1L << 21;
 #endif
 #if defined(STDC) || defined(Z_HAVE_STDARG_H)
-#  ifdef NO_vsnprintf
-    flags += 1L << 25;
-#    ifdef HAS_vsprintf_void
-    flags += 1L << 26;
-#    endif
-#  else
-#    ifdef HAS_vsnprintf_void
-    flags += 1L << 26;
-#    endif
-#  endif
+#   ifdef NO_vsnprintf
+#       ifdef ZLIB_INSECURE
+            flags += 1L << 25;
+#       else
+            flags += 1L << 27;
+#       endif
+#       ifdef HAS_vsprintf_void
+            flags += 1L << 26;
+#       endif
+#   else
+#       ifdef HAS_vsnprintf_void
+            flags += 1L << 26;
+#       endif
+#   endif
 #else
     flags += 1L << 24;
-#  ifdef NO_snprintf
-    flags += 1L << 25;
-#    ifdef HAS_sprintf_void
-    flags += 1L << 26;
-#    endif
-#  else
-#    ifdef HAS_snprintf_void
-    flags += 1L << 26;
-#    endif
-#  endif
+#   ifdef NO_snprintf
+#       ifdef ZLIB_INSECURE
+            flags += 1L << 25;
+#       else
+            flags += 1L << 27;
+#       endif
+#       ifdef HAS_sprintf_void
+            flags += 1L << 26;
+#       endif
+#   else
+#       ifdef HAS_snprintf_void
+            flags += 1L << 26;
+#       endif
+#   endif
 #endif
     return flags;
 }
-- 
cgit v1.2.3-55-g6feb