Commit 347e3f7
Fix NULL pointer dereference when zlib DSO fails to load
When ZLIB_SHARED is defined and DSO_load() fails to load the zlib
library, ossl_comp_zlib_init() incorrectly returns 1 (success) while
leaving all function pointers (p_compress, p_uncompress, etc.) as NULL.
This causes COMP_zlib() and COMP_zlib_oneshot() to return valid-looking
COMP_METHOD pointers, but when these methods are used (e.g., during
TLS 1.3 certificate decompression), the NULL function pointers are
dereferenced, causing a SIGSEGV crash.
The bug occurs because the NULL pointer check (lines 297-303) was inside
the `if (zlib_dso != NULL)` block, so it was skipped entirely when
DSO_load() returned NULL.
The fix moves the NULL pointer check outside the conditional block,
consistent with how c_brotli.c and c_zstd.c handle this case. Now if
the DSO fails to load, all function pointers remain NULL, the check
catches this, and the function correctly returns 0 (failure).
This also fixes an incorrect cast of p_uncompress from compress_ft to
the correct uncompress_ft type.
PoC demonstrating the bug: https://github.com/SiteRelEnby/openssl-zlib-poc
Fixes #23563
CLA: trivial
Reviewed-by: Paul Yang <paulyang.inf@gmail.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
MergeDate: Thu Jan 22 17:00:50 2026
(Merged from #29699)
(cherry picked from commit 045ca33)1 parent 4d566e3 commit 347e3f7
1 file changed
+7
-7
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
228 | 228 | | |
229 | 229 | | |
230 | 230 | | |
| 231 | + | |
231 | 232 | | |
232 | | - | |
233 | | - | |
234 | | - | |
235 | | - | |
236 | | - | |
237 | | - | |
238 | | - | |
| 233 | + | |
| 234 | + | |
| 235 | + | |
| 236 | + | |
| 237 | + | |
| 238 | + | |
239 | 239 | | |
240 | 240 | | |
241 | 241 | | |
| |||
0 commit comments