[Bug]: Security Vulnerability - Action Required: Heap-based Buffer Overflow vulnerability may in your project

[Crispy-fried-chicken]

Hi, there we have detected that your project may be vulnerable to Heap-based Buffer Overflow. It shares similarities to a recent CVE disclosure CVE-2023-6992 in the https://github.com/freeswitch/sofia-sip. The affected file and functions are as follows:

1. deflate_stored (deflate_state *s,int flush) in the file of deps/libz/deflate.c

The source vulnerability information is as follows:

Vulnerability Detail: CVE Identifier: CVE-2023-6992 Description: Cloudflare version of zlib library was found to be vulnerable to memory corruption issues affecting the deflation algorithm implementation (deflate.c). The issues resulted from improper input validation and heap-based buffer overflow. A local attacker could exploit the problem during compression using a crafted malicious file potentially leading to denial of service of the software. Patches: The issue has been patched in commit 8352d10 https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c . The upstream repository is not affected. Reference:https://nvd.nist.gov/vuln/detail/CVE-2023-6992 Patch:https://github.com/cloudflare/zlib/commit/8352d108c05db1bdc5ac3bdf834dad641694c13c

Would you help to check if this bug is true? If it's true, I'd like to open a PR for that if necessary. Thank you for your effort and patience!

[LibretroAdmin]

Seems like whatever code you're referencing is just an issue in the dependency zlib.

[hizzlekizzle]

I think a PR to correct the issue would be appreciated, but since we use autotools rather than cmake, make sure the HAS_SSE2 thing they mention in the comment on that commit is included.

[keithbowes]

RetroArch doesn't use autotools. It uses its own homegrown configure script. In any case, I'm sure the bundled dependencies have many security problems, which is why you should use system versions whenever possible.