0
0
mirror of https://github.com/nodejs/node.git synced 2024-12-01 16:10:02 +01:00
nodejs/lib
Myles Borins 241eb6122e
zlib: gracefully set windowBits from 8 to 9
On 4 April 2017, Node.js versions v4.8.2 and v6.10.2 were
released. These versions bumped the vendored zlib library from
v1.2.8 to v1.2.11 in response to what it describes as low-severity
CVEs. In zlib v1.2.9, a change was made that causes an error to be
raised when a raw deflate stream is initialised with windowBits set
to 8.

In zlib v1.2.9, 8 become an invalid value for this parameter, and Node's zlib
module will crash if you call this:

```
zlib.createDeflateRaw({windowBits: 8})
```

On some versions this crashes Node and you cannot recover from it, while on some
versions it throws an exception. The permessage-deflate library up to
version v0.1.5 does make such a call with no try/catch

This commit reverts to the original behavior of zlib by gracefully changed
windowBits: 8 to windowBits: 9 for raw deflate streams.

Original-PR-URL: https://github.com/nodejs-private/node-private/pull/95
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Evan Lucas <evanlucas@me.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/16511
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
2017-10-29 20:14:01 +01:00
..
internal lib: setup IPC channel before console 2017-10-29 20:59:24 +02:00
_http_agent.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
_http_client.js http: do not blindly destroy UNIX domain sockets 2017-10-23 12:13:03 -04:00
_http_common.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
_http_incoming.js tools: enable additional eslint rules 2017-10-19 13:54:14 -04:00
_http_outgoing.js tools: enable additional eslint rules 2017-10-19 13:54:14 -04:00
_http_server.js http: support generic Duplex streams 2017-10-23 17:11:57 +02:00
_stream_duplex.js stream: add destroy and _destroy methods. 2017-05-22 08:34:14 +02:00
_stream_passthrough.js meta: restore original copyright header 2017-03-10 11:23:48 -08:00
_stream_readable.js stream: complete migration to internal/errors 2017-10-29 18:57:28 +01:00
_stream_transform.js stream: migrate to internal/errors 2017-10-01 20:37:00 -03:00
_stream_wrap.js lib: move _stream_wrap into internals 2017-10-19 18:06:27 +02:00
_stream_writable.js stream: complete migration to internal/errors 2017-10-29 18:57:28 +01:00
_tls_common.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
_tls_legacy.js tools: enable additional eslint rules 2017-10-19 13:54:14 -04:00
_tls_wrap.js tls: properly track writeQueueSize during writes 2017-10-21 09:48:36 -04:00
.eslintrc.yaml tools: remove legacy indentation linting 2017-07-30 09:21:52 -07:00
assert.js util,assert: expose util.isDeepStrictEqual() 2017-10-25 22:30:37 -07:00
async_hooks.js async_hooks: skip runtime checks when disabled 2017-10-19 12:45:21 +02:00
buffer.js buffer: move setupBufferJS to internal 2017-10-25 10:36:17 -07:00
child_process.js child_process: restore exec{File}Sync error props 2017-10-23 14:09:11 +02:00
cluster.js lib: use consistent indentation for ternaries 2017-07-07 06:57:16 -07:00
console.js console: improve console.group() 2017-08-25 11:29:33 -07:00
constants.js src: add support to pass flags to dlopen 2017-09-08 17:14:03 -04:00
crypto.js crypto: migrate setFipsCrypto to internal/errors 2017-10-27 08:13:01 -07:00
dgram.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
dns.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
domain.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
events.js events: onceWrapper apply directly with arguments 2017-10-21 09:29:09 -04:00
fs.js tools: enable additional eslint rules 2017-10-19 13:54:14 -04:00
http2.js http2: refactor error handling 2017-08-28 00:39:42 +04:00
http.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
https.js https: refactor to use http internals 2017-10-26 15:47:29 -07:00
inspector.js inspector: migrate to internal/errors 2017-10-16 09:31:18 -07:00
module.js module: fix extension lookups for top-level main 2017-10-28 13:25:40 +02:00
net.js net: fix timeout with null handle 2017-10-25 14:48:30 -04:00
os.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
path.js tools: enable additional eslint rules 2017-10-19 13:54:14 -04:00
perf_hooks.js perf_hooks: implementation of the perf timing API 2017-08-23 16:00:09 -07:00
process.js
punycode.js lib: remove let from for loops 2016-10-04 12:17:32 -04:00
querystring.js querystring: convert to using internal/errors 2017-10-28 14:04:53 -04:00
readline.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
repl.js repl: deprecate REPLServer.prototype.memory 2017-10-19 14:58:26 -04:00
stream.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
string_decoder.js lib: use destructuring for some constants 2017-10-16 23:34:32 +02:00
sys.js meta: restore original copyright header 2017-03-10 11:23:48 -08:00
timers.js timers: cleanup extraneous property on Immediates 2017-10-23 11:02:53 +02:00
tls.js lib: faster type checks for some types 2017-10-01 23:58:59 -03:00
tty.js tty,doc: add type-check to isatty 2017-10-22 16:51:10 -07:00
url.js lib: move duplicate spliceOne into internal/util 2017-10-20 15:51:20 -04:00
util.js util,assert: expose util.isDeepStrictEqual() 2017-10-25 22:30:37 -07:00
v8.js v8: add new to the throw statement 2017-06-28 20:00:42 +02:00
vm.js vm: deprecate vm.runInDebugContext 2017-10-23 17:17:16 +02:00
zlib.js zlib: gracefully set windowBits from 8 to 9 2017-10-29 20:14:01 +01:00