zlib: backport upstream fix on CRC validation

Starting zlib 1.2.12, CRC validation has became stricter. This broke Keycloak ≥ 17 in certain situations, for details, see: - https://github.com/keycloak/keycloak/issues/11316 ; - https://github.com/NixOS/nixpkgs/issues/170539 This patch makes the CRC validation comprehensive with respect to older or already existing checksums out there.
2 years ago · 8335c46632
parent b03728f029
commit 8335c46632
2 changed files with 57 additions and 0 deletions
--- a/pkgs/development/libraries/zlib/comprehensive-crc-validation-for-wrong-implementations.patch
+++ b/pkgs/development/libraries/zlib/comprehensive-crc-validation-for-wrong-implementations.patch
@ -0,0 +1,51 @@
+From ec3df00224d4b396e2ac6586ab5d25f673caa4c2 Mon Sep 17 00:00:00 2001
+From: Mark Adler <madler@alumni.caltech.edu>
+Date: Wed, 30 Mar 2022 11:14:53 -0700
+Subject: [PATCH] Correct incorrect inputs provided to the CRC functions.
+
+The previous releases of zlib were not sensitive to incorrect CRC
+inputs with bits set above the low 32. This commit restores that
+behavior, so that applications with such bugs will continue to
+operate as before.
+---
+ crc32.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+diff --git a/crc32.c b/crc32.c
+index a1bdce5c2..451887bc7 100644
+--- a/crc32.c
+++ b/crc32.c
+@@ -630,7 +630,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+ 
+     /* Pre-condition the CRC */
+-    crc ^= 0xffffffff;
+    crc = (~crc) & 0xffffffff;
+ 
+     /* Compute the CRC up to a word boundary. */
+     while (len && ((z_size_t)buf & 7) != 0) {
+@@ -749,7 +749,7 @@ unsigned long ZEXPORT crc32_z(crc, buf, len)
+ #endif /* DYNAMIC_CRC_TABLE */
+ 
+     /* Pre-condition the CRC */
+-    crc ^= 0xffffffff;
+    crc = (~crc) & 0xffffffff;
+ 
+ #ifdef W
+ 
+@@ -1077,7 +1077,7 @@ uLong ZEXPORT crc32_combine64(crc1, crc2, len2)
+ #ifdef DYNAMIC_CRC_TABLE
+     once(&made, make_crc_table);
+ #endif /* DYNAMIC_CRC_TABLE */
+-    return multmodp(x2nmodp(len2, 3), crc1) ^ crc2;
+    return multmodp(x2nmodp(len2, 3), crc1) ^ (crc2 & 0xffffffff);
+ }
+ 
+ /* ========================================================================= */
+@@ -1112,5 +1112,5 @@ uLong crc32_combine_op(crc1, crc2, op)
+     uLong crc2;
+     uLong op;
+ {
+-    return multmodp(op, crc1) ^ crc2;
+    return multmodp(op, crc1) ^ (crc2 & 0xffffffff);
+ }
--- a/pkgs/development/libraries/zlib/default.nix
+++ b/pkgs/development/libraries/zlib/default.nix
@ -42,6 +42,12 @@ stdenv.mkDerivation (rec {

  patches = [
    ./fix-configure-issue-cross.patch
+    # Starting zlib 1.2.12, zlib is stricter to incorrect CRC inputs
+    # with bits set above the low 32.
+    # see https://github.com/madler/zlib/issues/618
+    # TODO: remove the patch if upstream releases https://github.com/madler/zlib/commit/ec3df00224d4b396e2ac6586ab5d25f673caa4c2
+    # see https://github.com/NixOS/nixpkgs/issues/170539 for history.
+    ./comprehensive-crc-validation-for-wrong-implementations.patch
  ];

  strictDeps = true;