Exploiting huffman table bug in zlib

Summary

한국어: https://velog.io/@0range1337/CTF-Google-CTF-2025-webz-Exploiting-zlibs-Huffman-Code-Table 1. Overview 2. Background 2-1. google-zlib-Increase-Huffman-Table-Size.patch 2-2. Deflate Algorithm 2-2-1. LZ77 2-2-2. Huffman Coding 3. Code Analysis 3-1. Inflate 3-2. Huffman Table 3-3. Decode 4. Vulnerability 4-1. Unintialized Huffman Code Table 4-2. Exploiting inflate_fast 4-2-1. Integer Overflow (Unexploitable) 4-2-2. PoC 4-2-3. Stream Overflow (Exploitable) 4-2-4. PoC 5. Exploit 1. Overview webz is a zlib exploitation challenge from Google CTF 2025. The Google-zlib implementation provided in the challenge is not upstream; it’s a version with an arbitrary patch applied. Whereas typical open‑source exploit challenges ship a patch that clearly introduces a vulnerability, webz’s Google-zlib patch appears—at first glance—to be a normal optimization. In practice, the vulnerability in this Google-zlib can be found quickly via fuzzing. However, in this write‑up we’ll derive the precise root cause through source analysis. 2. Background The Google-zlib codebase isn’t large, but it is quite tricky. Because it implements compression algorithms, manipulates data at the bit level, and contains optimizations that sacrifice readability, analysis can be difficult. int ret = inflateInit2(&webz_state.infstream, -15); webz_state.infstream.msg = webz_state.ok_status; if (ret != Z_OK) { printf("Error: inflateInit failed: %d\n", ret); return; } ret = inflate(&webz_state.infstream, Z_NO_FLUSH); if (ret != Z_STREAM_END) { printf("Error: inflate failed: %d\n", ret); inflateEnd(&webz_state.infstream); return; } inflateEnd(&webz_state.infstream); /\* windowBits can also be -8..-15 for raw deflate. In this case, -windowBits determines the window size. deflate() will then generate raw deflate data with no zlib header or trailer, and will not compute a check value. \*/ First, let’s look at the provided webz.c. It’s simply a wrapper around Google-zlib. It receives raw Deflate-compressed data from t...