cleeus
commented
3 years ago This is a file that crashes with a heap corruption when any of the contained files are decompressed: id_000003.zip
Open cleeus opened 3 years ago
cleeus
commented
3 years ago This is a file that crashes with a heap corruption when any of the contained files are decompressed: id_000003.zip
harry75369
commented
3 years ago miniz-cpp is actually not based on any of zlib/minizip, but on miniz. miniz is an independent implementation of zlib compression algorithm.
but code updates from upstream miniz is needed anyway...
cleeus
commented
3 years ago Thanks for the correction, I confused the two since the code looks so similar. I changed the issue title accordingly.
Is this the authoritative upstream? https://github.com/richgel999/miniz
miniz-cpp is based on an old version of zlib/minizip and contains security vulnerabilities. See this example/failing test here: https://github.com/cleeus/miniz-cpp/commit/d2339317086cb6398987bf34f04895ddaa9ba30a
I understand that this project is not in active development but it would be good to point this out in the README, otherwise this code might end up in critical code paths (and it probably alread has). There is a modern, well maintained version of minizip in https://github.com/nmoinvaz/minizip.