Re: Re: zlib security audit by 7asecurity

[Sevan Janiyan <venture37 () geeklan co uk>]

On 18/02/2026 12:15, Sevan Janiyan wrote:
> Dug in a bit further and realised the logic in gzguts.h makes the wrong 
> assumption about "if C89/90, assume no C99 snprintf() or vsnprintf()" as 
> these functions have been around for a very long time[1] though 
> formalised in C99. All versions of OS X include it and you are likely 
> going to be building with a compiler that only supports C89/90 on the 
> earlier releases or defaults to it.

I did some more digging and found that on OS X 10.6 (from 2009) and 
prior vsnprintf() is not used because of the discrepancy in gzguts.h, 
though configure is happy.
On OS X 10.7 (from 2011) onwards you're good if you stick to the default 
compiler which is clang.
If you switch to the fallback secondary compiler (llvm-gcc 4.2) then 
you'll have the same issue as OS X 10.6 and prior, when building on OS X 
10.7 & 10.8 (from 2012).
Issue goes away in 10.9 (from 2013) since it only includes clang.
The patch I submitted[1] in the pull request fixes all versions which 
had issues (10.2 up to 10.8) that I tested, when running the test suite.

While I've investigated the issue on Mac OS X, I suspect the issue 
applies to legacy versions of derivatives from the same lineage[2] in 
general which use legacy GCC, if you're still building modern zlib on it.

Not sure if that's what was meant by "real-world environment". :)

Sincerely,


Sevan
[1] https://github.com/madler/zlib/pull/1167
[2] https://www.tuhs.org/cgi-bin/utree.pl?file=Net2/usr/src/lib/libc/stdio