Forum: Ruby-core [Bug #1688] Zlib raises a buffer error when inflating some kinds of data

Bug #1688: Zlib raises a buffer error when inflating some kinds of data
http://redmine.ruby-lang.org/issues/show/1688

Author: Luis Lavena
Status: Open, Priority: High
ruby -v: 1.8.6-p287, 1.8.7, 1.9.1-p129

This issue was originally reported to One-Click Installer project by 
Jeremy Bopp:

http://rubyforge.org//tracker/?func=detail&atid=715&aid=26404&group_id=167

Description:

While extracting compressed entries from a ZIP archive, I came across a 
particular file entry which when read in using
a 4096 byte buffer which was then sent to be inflated would cause Zlib 
to raise a buffer error.  This affects affects
versions 186-26, 186-27-rc1, and 186-27-rc2 of the One-Click Ruby 
installation but does not affect other builds of Ruby
I have tested:

ruby 1.8.7 (2008-08-11 patchlevel 72) [i386-cygwin]
ruby 1.8.7 (2008-08-11 patchlevel 72) [x86_64-linux]

I have not tried this test with other builds of Ruby version 1.8.6 to 
isolate whether or not this is a general error
for Ruby 1.8.6 or if this is specific to the One-Click Ruby Installer 
build.  This appears to be a Zlib-specific defect.

I have attached a simple test case which reliably reproduces this error 
condition on the affected versions of Ruby.
This test case will try all possible buffer sizes for reading in the 
included compressed data file and will report all
buffer sizes which cause this error.  In my testing the following output 
is printed over a range of buffer sizes from
1 to 4704 bytes on all affected versions of Ruby:

buffer error: buffer size: 1040 bytes
buffer error: buffer size: 4096 bytes
buffer error: buffer size: 4097 bytes

This indicates that buffer errors were generated when reading and 
subsequently inflating the first 1040, 4096, and 4097
bytes of the compressed data file.  There should be no errors at all, 
and the zlib-test.rb script should simply exit
without any output.

-----

Date: 2009-06-23 20:16
Sender: Luis Lavena

Hello Jeremy.

Thank you for reporting this.

Could you try the exact same issue with MinGW Based version of
Ruby?

You can download those from here:

http://rubyinstaller.org/downloads

All the current version of the installer are built against a
unknown version of Zlib and the ruby-zlib extension.

Since newer versions of the installer will be based on MinGW
(GCC), verifying that environment and creating a small test case
will be great of us to fix or forward this upstream to Ruby-Core.

Thank you.

----

Date: 2009-06-24 10:55
Sender: Jeremy Bopp

The testcase completed successfully with the following
MinGW-built versions located at the site you indicated:

ruby 1.8.6 (2009-03-31 patchlevel 368) [i386-mingw32]
ruby 1.9.1p129 (2009-05-12 revision 23412) [i386-mingw32]

----

Date: 2009-06-25 01:27
Sender: Luis Lavena

Thank you Jeremy.

I going to report this to Ruby-core, since the binaries exposed
in Ruby-lang and the ones used by One-Click Installer prior the
MinGW releases are built by maintainers over there and not by us.

I'm not 100% sure what is going on there, but it appears to be
a issue with zlib-ruby extension and the version of zlib.dll
(which should be zlib1.dll anyway).

----

Conclusion: as my last comment in the report states, there is an issue 
with all the binaries being released AND advertised at Ruby-lang 
website.

Since One-Click Installer has been using those binaries to build the 
installers, all the user base is affected by those issues.

This can be extended to those users having random Zlib buffer errors, 
since seems all are affected to the exact same component.

Also, can be extended to 1.9 and 1.8.7, since these two versions uses 
the exact same version of zlib (zlib.dll) which is not provided in the 
download and people blidnly get from zlib.net page.

Find attached the test case file provided by Jeremy.

Apologize for being negative and pessimistic, but as maintainer of 
One-Click Installer, getting these kind of reports on a daily basis or 
direct emails are overwhelming when there is nothing we can do about it.

I'll love some feedback on these issues, the binaries used or at least 
share the building instructions to distribute some sort of patch or 
install note to the community.

Thank you.

Issue #1688 has been updated by Roger Pack.


do different versions of zlib.dll fix the problem?
----------------------------------------
http://redmine.ruby-lang.org/issues/show/1688

On Thu, Jun 25, 2009 at 10:28 AM, Roger Pack<redmine@ruby-lang.org> 
wrote:
> Issue #1688 has been updated by Roger Pack.
>
>
> do different versions of zlib.dll fix the problem?

The problem is to know which version, right now I've tested latest one
(1.2.3), and previous ones: 1.2.2 and 1.2.1 without success.

And even worse, those have a security risk outlined at zlib.net page:

http://zlib.net/

>> do different versions of zlib.dll fix the problem?
>
> The problem is to know which version, right now I've tested latest one
> (1.2.3), and previous ones: 1.2.2 and 1.2.1 without success.

Does pure ruby zlib work?
=r

On Thu, Jun 25, 2009 at 11:29 AM, Roger Pack<rogerdpack@gmail.com> 
wrote:
>>> do different versions of zlib.dll fix the problem?
>>
>> The problem is to know which version, right now I've tested latest one
>> (1.2.3), and previous ones: 1.2.2 and 1.2.1 without success.
>
> Does pure ruby zlib work?

Haven't tested, be my guest ;-)