Test 224 fails with CVE-2022-37434 patched zlib #9271
Description
I did this
Using zlib v1.2.12 patched for CVE-2022-37434:
make test
# or...
cd tests
./runtests.pl 224
test 0224...[HTTP GET gzip compressed content with huge comment and extra field]
224: data FAILED:
--- log/check-expected 2022-08-07 23:29:39.568010972 +0000
+++ log/check-generated 2022-08-07 23:29:39.568010972 +0000
@@ -1,9 +0,0 @@
-HTTP/1.1 200 OK[CR][LF]
-Date: Mon, 29 Nov 2004 21:56:53 GMT[CR][LF]
-Server: Apache/1.3.31 (Debian GNU/Linux) mod_gzip/1.3.26.1a PHP/4.3.9-1 mod_ssl/2.8.20 OpenSSL/0.9.7d mod_perl/1.29[CR][LF]
-Vary: Accept-Encoding[CR][LF]
-Content-Type: text/html; charset=ISO-8859-1[CR][LF]
-Content-Encoding: gzip[CR][LF]
-Content-Length: 2186[CR][LF]
-[CR][LF]
-uncompressed gzip data with long gzip header[LF]I've also seen this test failure accompanied by a segfault, but this only happens within a sandbox (which uses the Linux kernel's namespacing feature):
test 0224...core dumped
FAILED
I expected the following
For the test to succeed.
curl/libcurl version
7.84.0
operating system
Linux 5.15.43 #1-NixOS SMP Wed May 25 12:42:07 UTC 2022 aarch64 GNU/Linux
This very much could be a zlib issue since the patch in question hasn't made it into a release yet, but I'm going to leave this open just in case it's not; feel free to close.