MemorySanitizer: zcalloc does not guarantee initialized allocation

[ghost]

Using MemorySanitizer with a fuzzer on a clean compile of zlib I find issues in zcalloc in zlib/zutil.c:311. This beacuse that function does not always return calloc, but malloc, which is uninitialized:

Uninitialized value was created by a heap allocation

  | #0 0x4d24dd in malloc /src/llvm-project/compiler-rt/lib/msan/msan_interceptors.cpp:901:3
  | #1 0x563677 in zcalloc zlib/zutil.c:311:39
  | #2 0x528912 in deflateInit2_ zlib/deflate.c:322:27

This line makes no sense to me:

return sizeof(uInt) > 2 ? (voidpf)malloc(items * size) :
                              (voidpf)calloc(items, size);

if sizeof(uInt) is bigger than 2 then it returns malloc rather than calloc. This files MemorySanitizer security issues:

==1==WARNING: MemorySanitizer: use-of-uninitialized-value

  | #0 0x53443d in slide_hash zlib/deflate.c:219:20
  | #1 0x52b179 in fill_window zlib/deflate.c:1516:13
  | #2 0x53b4d0 in deflate_fast zlib/deflate.c:1838:13
  | #3 0x531e70 in deflate zlib/deflate.c:1003:18

[madler]

Thank you for your report.

The use of malloc() in preference to calloc() is intentional to avoid initializing allocated memory for speed optimization.

The line that makes no sense to you is likely due to the fact that you're not old enough to remember architectures with 16-bit pointers combined with segments to address more than 64K. In those cases calloc() had to be used to allocate more than 64K bytes of memory. (zlib is more than 25 years old at this point.)

I will close this issue, since there is no intent for zcalloc() to initialize memory. However you can file a new issue for the use-of-uninitialized-value. Please include the version of zlib used.