Re: [Patch] 2.5.70-bk11 zlib merge #4 pure magic

From: Paul Mackerras (
Date: Sat Jun 07 2003 - 04:40:25 EST

Jörn Engel writes:

> The only code that could be bitten by this change is ppp, so I changed
> that as well. Paulus, could you have a quick look at it?

As Bart pointed out, there is a bug in zlib for window_size == 256.
Here is James Carlson's description of the problem:

        The problem is that s->strstart gets set to a very large
        positive integer when wsize (local copy of s->w_size) is
        subtracted in deflate.c:fill_window(). This happens because
        MAX_DIST(s) resolves as a negative number when the window size
        is 8 -- MAX_DIST(s) is defined as s->w_size-MIN_LOOKAHEAD in
        deflate.h. MIN_LOOKAHEAD is MAX_MATCH+MIN_MATCH+1, and that
        is 258+3+1 or 262. Since a window size of 8 gives s->w_size
        256, MAX_DIST(s) is 256-262 or -6.

        This results in read_buf() writing over memory outside of
        s->window, and a crash.

Your change won't affect PPP, since pppd already refuses to use
windowBits == 8 (as a workaround for this bug).


To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

This archive was generated by hypermail 2b29 : Sat Jun 07 2003 - 22:00:32 EST