1*86ee64e7SAndroid Build Coastguard WorkerFrom 92537ee19784e0e545f06d89b7d89ab532a18cff Mon Sep 17 00:00:00 2001 2*86ee64e7SAndroid Build Coastguard WorkerFrom: Hans Wennborg <[email protected]> 3*86ee64e7SAndroid Build Coastguard WorkerDate: Tue, 3 Nov 2020 15:54:09 +0100 4*86ee64e7SAndroid Build Coastguard WorkerSubject: [PATCH] [zlib] Zero-initialize the window used for deflation 5*86ee64e7SAndroid Build Coastguard Worker 6*86ee64e7SAndroid Build Coastguard WorkerOtherwise MSan complains about use-of-uninitialized values in the 7*86ee64e7SAndroid Build Coastguard Workerwindow. 8*86ee64e7SAndroid Build Coastguard WorkerThis happens in both regular deflate's longest_match and deflate_rle. 9*86ee64e7SAndroid Build Coastguard Worker 10*86ee64e7SAndroid Build Coastguard WorkerBefore crrev.com/822755 we used to suppress those reports, but it seems 11*86ee64e7SAndroid Build Coastguard Workerbetter to fix it properly. That will also allow us to catch other 12*86ee64e7SAndroid Build Coastguard Workerpotential issues with MSan in these functions. 13*86ee64e7SAndroid Build Coastguard Worker 14*86ee64e7SAndroid Build Coastguard WorkerThe instances of this that we've seen only reproduce with 15*86ee64e7SAndroid Build Coastguard Workerfill_window_sse(), not with the regular fill_window() function. Since 16*86ee64e7SAndroid Build Coastguard Workerthe former doesn't exist in upstream zlib, I'm not planning to send this 17*86ee64e7SAndroid Build Coastguard Workerpatch upstream. 18*86ee64e7SAndroid Build Coastguard Worker 19*86ee64e7SAndroid Build Coastguard WorkerBug: 1137613, 1144420 20*86ee64e7SAndroid Build Coastguard Worker--- 21*86ee64e7SAndroid Build Coastguard Worker third_party/zlib/deflate.c | 3 +++ 22*86ee64e7SAndroid Build Coastguard Worker 1 file changed, 3 insertions(+) 23*86ee64e7SAndroid Build Coastguard Worker 24*86ee64e7SAndroid Build Coastguard Workerdiff --git a/third_party/zlib/deflate.c b/third_party/zlib/deflate.c 25*86ee64e7SAndroid Build Coastguard Workerindex 8bf93e524875..fc7ae45905ff 100644 26*86ee64e7SAndroid Build Coastguard Worker--- a/third_party/zlib/deflate.c 27*86ee64e7SAndroid Build Coastguard Worker+++ b/third_party/zlib/deflate.c 28*86ee64e7SAndroid Build Coastguard Worker@@ -321,6 +321,9 @@ int ZEXPORT deflateInit2_(strm, level, method, windowBits, memLevel, strategy, 29*86ee64e7SAndroid Build Coastguard Worker s->window = (Bytef *) ZALLOC(strm, 30*86ee64e7SAndroid Build Coastguard Worker s->w_size + window_padding, 31*86ee64e7SAndroid Build Coastguard Worker 2*sizeof(Byte)); 32*86ee64e7SAndroid Build Coastguard Worker+ /* Avoid use of unitialized values in the window, see crbug.com/1137613 and 33*86ee64e7SAndroid Build Coastguard Worker+ * crbug.com/1144420 */ 34*86ee64e7SAndroid Build Coastguard Worker+ zmemzero(s->window, (s->w_size + window_padding) * (2 * sizeof(Byte))); 35*86ee64e7SAndroid Build Coastguard Worker s->prev = (Posf *) ZALLOC(strm, s->w_size, sizeof(Pos)); 36*86ee64e7SAndroid Build Coastguard Worker /* Avoid use of uninitialized value, see: 37*86ee64e7SAndroid Build Coastguard Worker * https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=11360 38*86ee64e7SAndroid Build Coastguard Worker-- 39*86ee64e7SAndroid Build Coastguard Worker2.29.1.341.ge80a0c044ae-goog 40*86ee64e7SAndroid Build Coastguard Worker 41