Hi Paul,

Thanks for the patch and for looking into this.

I've been digging a bit further into the interaction. Your patch `c5e7899`
tightens the bounds for `SH(h + LOCFIL)` and `SH(h + LOCEXT)` within
`check_zipfile()`, but there appears to be an uninitialized read of
inbuf[3] during the initial PKZIP magic number check in
`gzip.c:get_method()` also.

This occurs when `DYN_ALLOC` is active (making `inbuf` uninitialized heap)
and `insize` is precisely 3 due to a short input like PK\x03. The
memcmp((char*)inbuf, PKZIP_MAGIC, 4) in `get_method()  will access inbuf[3]
before check_zipfile() is even invoked for that path.

This can be demonstrated with:

printf "\x50\x4B\x03" > trigger.dat
# Assuming gzip compiled with DYN_ALLOC and your patch c5e7899
valgrind --track-origins=yes ./gzip -tv trigger.dat

Best regards,
Mohamed Maatallah

On Fri, May 30, 2025 at 7:10 AM Paul Eggert <eggert@cs.ucla.edu> wrote:

> Thanks for the bug report and proposed fix. I installed the attached,
> which should fix the gzip bug in a different way.
>
> I think the bug is innocuous in practice, but it's good to fix it anyway
> as these things tend to mushroom.