On 19/07/2025 12:15, Sylvain Beucler wrote:
The My_ZeroMemory logic appears to have been introduced in the 24.05 import: https://github.com/ip7z/7zip/ commit/395149956d696e6e3099d8b76d797437f94a6942#diff-88a430830000a0af8a34f1f0839670eea79d7b201bad3e5662e97159075880cbL1905-R1941
Correction, similar code:
UInt64 rem = _lzEnd - _lzSize;
...
memset(_window + pos, 0, rem2);
is present in the same function in earlier versions, it may be similarly
exploitable.
Cheers! Sylvain Beucler Debian LTS Team
