Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Potential Vulnerability in Cloned Function #6246

Merged
merged 1 commit into from
Mar 4, 2025
Merged

Fix: Potential Vulnerability in Cloned Function #6246

merged 1 commit into from
Mar 4, 2025

Conversation

tabudz
Copy link
Contributor

@tabudz tabudz commented Mar 3, 2025

Description
This PR fixes a security vulnerability in inflate() that was cloned from zlib but did not receive the security patch applied in zlib. The original issue was reported and fixed under madler/zlib@eff308a.
This PR applies the same patch as the one in zlib to eliminate the vulnerability.

References
https://nvd.nist.gov/vuln/detail/CVE-2022-37434
madler/zlib@eff308a

@tabudz
Fix a bug when getting a gzip header extra field with inflate().
8df7021 
If the extra field was larger than the space the user provided with
inflateGetHeader(), and if multiple calls of inflate() delivered
the extra header data, then there could be a buffer overflow of the
provided space. This commit assures that provided space is not
exceeded.
@mvieth mvieth added module: surface changelog: fix Meta-information for changelog generation labels Mar 4, 2025
mvieth
mvieth approved these changes Mar 4, 2025
View reviewed changes
Copy link
Member

@mvieth mvieth left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!
As a side note: PCL will by default use a zlib installation from the system (see https://github.com/PointCloudLibrary/pcl/blob/master/surface/CMakeLists.txt#L70 ) and will only use these copied zlib files if specifically requested by the user. So hopefully the effects of these potential vulnerabilities are not too extensive.

@mvieth mvieth merged commit f10dfe9 into PointCloudLibrary:master Mar 4, 2025
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mvieth mvieth mvieth approved these changes

Assignees
No one assigned
Labels
changelog: fix Meta-information for changelog generation module: surface
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tabudz @mvieth