On Tue, 2006-02-21 at 08:20 -0800, Garrett Rooney wrote:
> On 2/20/06, Branko Čibej <brane@xbc.nu> wrote:
> > Garrett Rooney wrote:
> > > We're still having trouble building trunk with older versions of zlib
> > >
> > What's an "older version"? IIRC, anything before 1.2.3 (at least the
> > 1.1.x and 1.2.[012] line) has a security hole which 1.2.3 fixed.
>
> I'm not in front of the machines in question at the moment, but I saw
> the problem in whatever zlib versions are shipped with Redhat
> Enterprise 4 and Solaris 10.
>
Errr, not if you are keeping up to date on your redhat updates you
didn't.
-bash-3.00$ cat /etc/redhat-release
Red Hat Enterprise Linux AS release 4 (Nahant Update 2)
-bash-3.00$ grep compressBound /usr/include/zlib.h
...
ZEXTERN uLong ZEXPORT compressBound OF((uLong sourceLen));
-bash-3.00$ rpm -qi zlib-devel
Name : zlib-devel Relocations: /usr
Version : 1.2.1.2 Vendor: Red Hat, Inc.
Release : 1.2 Build Date: Tue 12 Jul 2005
03:06:22 PM GMT
Install Date: Wed 10 Aug 2005 02:41:04 PM GMT Build Host:
decompose.build.redhat.com
Group : Development/Libraries Source RPM:
zlib-1.2.1.2-1.2.src.rpm
Size : 218767 License: BSD
Signature : DSA/SHA1, Tue 12 Jul 2005 08:37:35 PM GMT, Key ID
219180cddb42a60e
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL : http://www.gzip.org/zlib/
Summary : Header files and libraries for Zlib development.
Description :
The zlib-devel package contains the header files and libraries needed
to develop programs that use the zlib compression and decompression
library.
Anyhoo, i believe the correct solution is to simply paste the definition
of compressBound into the file as a macro, note where it came from, and
be done with it.
compressBound is defined as:
/* If the default memLevel or windowBits for deflateInit() is changed,
then this function needs to be updated. */
uLong ZEXPORT compressBound (sourceLen)
uLong sourceLen;
{
return sourceLen + (sourceLen >> 12) + (sourceLen >> 14) + 11;
}
When i suggested this on IRC, there was some acrimony over the idea that
this calculation may sometime change but
1. It hasn't changed since zlib has started
2. They have no plans to ever change it, AFAIK
3. The docs above it simply say that *if you change the window bits,
etc, you need to change these numbers*. They didn't even make the
numbers a define.
4. If it ever broke, you'd just get errors from zlib on compress about
the output buffer not being large enough and we'd fix it rather quickly.
" compress2 returns Z_OK if success, Z_MEM_ERROR if there was not enough
memory, Z_BUF_ERROR if there was not enough room in the output buffer,
Z_STREAM_ERROR if the level parameter is invalid."
There is no solution to "not using compressBound" in some form, whether
we inline it or not.
A configure test where we select either the zlib.h version or our
version would be silly, because then, in the remote possibility it ever
did change, your subversion would break depending on whether you had a
new enough zlib around it could pull compressBound from or not.
If we inline it, and zlib changes the output buffer size requirement, it
will at least fail consistently :)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Wed Feb 22 04:34:54 2006