Based on old upstream miniz version with security vulnerabilities #15
Comments
|
This is a file that crashes with a heap corruption when any of the contained files are decompressed: |
|
miniz-cpp is actually not based on any of zlib/minizip, but on miniz. miniz is an independent implementation of zlib compression algorithm. but code updates from upstream miniz is needed anyway... |
cleeus
changed the title
|
Thanks for the correction, I confused the two since the code looks so similar. I changed the issue title accordingly. Is this the authoritative upstream? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
miniz-cpp is based on an old version of zlib/minizip and contains security vulnerabilities. See this example/failing test here: cleeus@d233931
I understand that this project is not in active development but it would be good to point this out in the README, otherwise this code might end up in critical code paths (and it probably alread has). There is a modern, well maintained version of minizip in https://github.com/nmoinvaz/minizip.
The text was updated successfully, but these errors were encountered: