Re: Re: zlib security audit by 7asecurity

[Sevan Janiyan <venture37 () geeklan co uk>]

On 17/02/2026 23:57, Sevan Janiyan wrote:
> I could set -std=gnu99 but then it's not going to be a quiet drop-in 
> upgrade for all the exist packages built.
> Was actually thinking that what happens during configure and the build 
> are completely different. configure "detects" the presence of 
> vsnprintf() by the compiler not making any noise, but things are handled 
> separately in gzguts.h which until you dig in are left wondering why is 
> it complaining about the lack of vsnprintf() when the configure stage 
> was happy). Will raise a ticket for that.

Dug in a bit further and realised the logic in gzguts.h makes the wrong 
assumption about "if C89/90, assume no C99 snprintf() or vsnprintf()" as 
these functions have been around for a very long time[1] though 
formalised in C99. All versions of OS X include it and you are likely 
going to be building with a compiler that only supports C89/90 on the 
earlier releases or defaults to it.

Raised a pull request[2], let's see if it lands.


Sevan
[1] https://www.tuhs.org/cgi-bin/utree.pl?file=Net2/usr/src/lib/libc/stdio
[2] https://github.com/madler/zlib/pull/1167