This patch fixes security holes caused by potential buffer overflows
in the implementation of the gzprintf() function in zlib 1.1.4. The
security holes are fixed for platforms providing vsnprintf(3) and
snprintf(3) only. This patch is derived from a prepared security patch,
originally created by Kelledin <kelledin@users.sourceforge.net>. The
OpenPKG project reduced the patch in size and fixed the configuration
checks.

diff -ru3 zlib-1.1.4.orig/configure zlib-1.1.4/configure
--- zlib-1.1.4.orig/configure	Wed Jul  8 20:19:35 1998
+++ zlib-1.1.4/configure	Thu Feb 27 15:14:54 2003
@@ -155,7 +155,212 @@
   echo "Checking for unistd.h... No."
 fi
 
-cat > $test.c <<EOF
+cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdlib.h>
+
+#if (defined(__MSDOS__) || defined(_WINDOWS) || defined(_WIN32) || defined(__WIN32__) || defined(WIN32) || defined(__STDC__) || defined(__cplusplus) || defined(__OS2__)) && !defined(STDC)
+#  define STDC
+#endif
+
+int main() 
+{
+#ifndef STDC
+  choke me
+#endif
+
+  return 0;
+}
+EOF
+
+if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+  echo "Checking whether to use vsnprintf() or snprintf()... using vsnprintf()"
+
+  cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest(char *fmt, ...)
+{
+  char buf[20];
+  va_list ap;
+
+  va_start(ap, fmt);
+  vsnprintf(buf, sizeof(buf), fmt, ap);
+  va_end(ap);
+  return 0;
+}
+
+int main()
+{
+  return (mytest("Hello%d\n", 1));
+}
+EOF
+  
+  if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+    CFLAGS="$CFLAGS -DHAS_vsnprintf"
+    echo "Checking for vsnprintf() in stdio.h... Yes."
+
+    cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest(char *fmt, ...)
+{
+  int i;
+  char buf[20];
+  va_list ap;
+
+  va_start(ap, fmt);
+  i = vsnprintf(buf, sizeof(buf), fmt, ap);
+  va_end(ap);
+  return 0;
+}
+
+int main()
+{
+  return (mytest("Hello%d\n", 1));
+}
+EOF
+
+    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+      CFLAGS="$CFLAGS -DHAS_vsnprintf_return"
+      echo "Checking for return value of vsnprintf()... Yes."
+    else
+      echo "Checking for return value of vsnprintf()... No."
+      echo "  WARNING: apparently vsnprintf() does not return a value. zlib"
+      echo "  can build but will be open to possible string-format security"
+      echo "  vulnerabilities."
+    fi
+  else
+    echo "Checking for vsnprintf() in stdio.h... No."
+    echo "  WARNING: vsnprintf() not found, falling back to vsprintf(). zlib"
+    echo "  can build but will be open to possible buffer-overflow security"
+    echo "  vulnerabilities."
+
+    cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest(char *fmt, ...)
+{
+  int i;
+  char buf[20];
+  va_list ap;
+
+  va_start(ap, fmt);
+  i = vsprintf(buf, fmt, ap);
+  va_end(ap);
+  return 0;
+}
+
+int main() 
+{
+  return (mytest("Hello%d\n", 1));
+}
+EOF
+
+    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+      CFLAGS="$CFLAGS -DHAS_vsprintf_return"
+      echo "Checking for return value of vsprintf()... Yes."
+    else
+      echo "Checking for return value of vsprintf()... No."
+      echo "  WARNING: apparently vsprintf() does not return a value. zlib"
+      echo "  can build but will be open to possible string-format security"
+      echo "  vulnerabilities."
+    fi
+  fi
+else
+  echo "Checking whether to use vsnprintf() or snprintf()... using snprintf()"
+
+  cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest() 
+{
+  char buf[20];
+
+  snprintf(buf, sizeof(buf), "%s", "foo");
+  return 0;
+}
+
+int main() 
+{
+  return (mytest());
+}
+EOF
+
+  if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+    CFLAGS="$CFLAGS -DHAS_snprintf"
+    echo "Checking for snprintf() in stdio.h... Yes."
+
+    cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest(char *fmt, ...)
+{
+  int i;
+  char buf[20];
+
+  i = snprintf(buf, sizeof(buf), "%s", "foo");
+  return 0;
+}
+
+int main() 
+{
+  return (mytest());
+}
+EOF
+
+    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+      CFLAGS="$CFLAGS -DHAS_snprintf_return"
+      echo "Checking for return value of snprintf()... Yes."
+    else
+      echo "Checking for return value of snprintf()... No."
+      echo "  WARNING: apparently snprintf() does not return a value. zlib"
+      echo "  can build but will be open to possible string-format security"
+      echo "  vulnerabilities."
+    fi
+  else
+    echo "Checking for snprintf() in stdio.h... No."
+    echo "  WARNING: snprintf() not found, falling back to sprintf(). zlib"
+    echo "  can build but will be open to possible buffer-overflow security"
+    echo "  vulnerabilities."
+
+    cat >$test.c <<EOF
+#include <stdio.h>
+#include <stdarg.h>
+
+int mytest(char *fmt, ...) 
+{
+  int i;
+  char buf[20];
+
+  i = sprintf(buf, "%s", "foo");
+  return 0;
+}
+
+int main() 
+{
+  return (mytest());
+}
+EOF
+
+    if test "`($CC -c $CFLAGS $test.c) 2>&1`" = ""; then
+      CFLAGS="$CFLAGS -DHAS_sprintf_return"
+      echo "Checking for return value of sprintf()... Yes."
+    else
+      echo "Checking for return value of sprintf()... No."
+      echo "  WARNING: apparently sprintf() does not return a value. zlib"
+      echo "  can build but will be open to possible string-format security"
+      echo "  vulnerabilities."
+    fi
+  fi
+fi
+
+cat >$test.c <<EOF
 #include <errno.h>
 int main() { return 0; }
 EOF
diff -ru3 zlib-1.1.4.orig/gzio.c zlib-1.1.4/gzio.c
--- zlib-1.1.4.orig/gzio.c	Mon Mar 11 14:16:01 2002
+++ zlib-1.1.4/gzio.c	Thu Feb 27 14:29:26 2003
@@ -530,13 +530,31 @@
 
     va_start(va, format);
 #ifdef HAS_vsnprintf
+#  ifdef HAS_vsnprintf_return
+    len = vsnprintf(buf, sizeof(buf), format, va);
+    va_end(va);
+    if (len <= 0 || len >= sizeof(buf))
+        return 0;
+#  else
     (void)vsnprintf(buf, sizeof(buf), format, va);
+    va_end(va);
+    len = strlen(buf);
+    if (len <= 0)
+        return 0;
+#  endif
 #else
+#  ifdef HAS_vsprintf_return
+    len = vsprintf(buf, format, va);
+    va_end(va);
+    if (len <= 0 || len >= sizeof(buf))
+        return 0;
+#  else
     (void)vsprintf(buf, format, va);
-#endif
     va_end(va);
     len = strlen(buf); /* some *sprintf don't return the nb of bytes written */
     if (len <= 0) return 0;
+#  endif
+#endif
 
     return gzwrite(file, buf, (unsigned)len);
 }
@@ -553,14 +571,31 @@
     int len;
 
 #ifdef HAS_snprintf
+#  ifdef HAS_snprintf_return
+    len = snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
+	         a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    if (len <= 0 || len >= sizeof(buf))
+        return 0;
+#  else
     snprintf(buf, sizeof(buf), format, a1, a2, a3, a4, a5, a6, a7, a8,
 	     a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    len = strlen(buf);
+    if (len <= 0)
+        return 0;
+#  endif
 #else
+#  ifdef HAS_sprintf_return
+    len = sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
+	        a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
+    if (len <= 0 || len >= sizeof(buf))
+        return 0;
+#  else
     sprintf(buf, format, a1, a2, a3, a4, a5, a6, a7, a8,
 	    a9, a10, a11, a12, a13, a14, a15, a16, a17, a18, a19, a20);
-#endif
     len = strlen(buf); /* old sprintf doesn't return the nb of bytes written */
     if (len <= 0) return 0;
+#  endif
+#endif
 
     return gzwrite(file, buf, len);
 }