mirror of
https://github.com/openssl/openssl.git
synced 2026-01-25 02:56:43 +00:00
045ca33cef
When ZLIB_SHARED is defined and DSO_load() fails to load the zlib library, ossl_comp_zlib_init() incorrectly returns 1 (success) while leaving all function pointers (p_compress, p_uncompress, etc.) as NULL. This causes COMP_zlib() and COMP_zlib_oneshot() to return valid-looking COMP_METHOD pointers, but when these methods are used (e.g., during TLS 1.3 certificate decompression), the NULL function pointers are dereferenced, causing a SIGSEGV crash. The bug occurs because the NULL pointer check (lines 297-303) was inside the `if (zlib_dso != NULL)` block, so it was skipped entirely when DSO_load() returned NULL. The fix moves the NULL pointer check outside the conditional block, consistent with how c_brotli.c and c_zstd.c handle this case. Now if the DSO fails to load, all function pointers remain NULL, the check catches this, and the function correctly returns 0 (failure). This also fixes an incorrect cast of p_uncompress from compress_ft to the correct uncompress_ft type. PoC demonstrating the bug: https://github.com/SiteRelEnby/openssl-zlib-poc Fixes #23563 CLA: trivial Reviewed-by: Paul Yang <paulyang.inf@gmail.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> MergeDate: Thu Jan 22 17:00:50 2026 (Merged from https://github.com/openssl/openssl/pull/29699)