svniemeijer
commented
4 years ago This is not the right fix.
If there is a problem with reading uninitialised data then this would be a problem in za_read_entry which should initialise all filesize amount of allocated bytes (and return an error if this wasn't possible).
Using calloc is solving the symptom, not the core problem.
Initializing variable which may be used in an uninitialized fashion as reported by the test case included in issue #80.
Using uninitialized memory can be a security issue, such as potentially leaking previous stack contents. By zero-initializing, we avoid such potential leaks.
Running with the specific input case after this PR is applied no longer results in any error findings (credits: the input case was found using google/clusterfuzz).
Note that this PR only avoids the uninitialized memory use identified in that bug, and is unaware of the functionality or semantics of the rest of the code. The file owners are welcome to suggest alternate fixes on this PR or address other behavioral concerns in a separate PR.
(For the record: I am currently a Visiting Researcher at Google NYC and this fix is the result of an internal project).