It should mention the bug only exists after some arbitrary "patch" was introduced. As the current title makes it sounds like the actual zlib has a security issue.
Seems like it's not just arbitrary, but crafted. Could not find it anywhere, for example, searching for "DISTS so we can remove overflow checks from" (with quotes ofc) brings up just this site, both in Google and Bing. It has typos, btw.
It would be another issue if it came from https://chromium.googlesource.com/chromium/src/+/HEAD/third_..., but that's not the case.
The original title included "[CTF] Google CTF 2025" which would strongly hint(CTF=capture the flag) at the possibility of an artificial setting. That probably should of been included in the submission.
Not the author. The first sentence of the article does say this “webz is a zlib exploitation challenge from Google CTF 2025. The Google-zlib implementation provided in the challenge is not upstream; it’s a version with an arbitrary patch applied.”
It’s almost quite literally your comment word for word.
You should start with the Beginner's Quest CTF, by implementing a writeup's solution without looking at the writeup's actual code, and by playing other CTF style challenges such as Overthewire's Bandit.
Legitimately, they are often too hard. Balancing the problems is quite challenging.
On top of that, the solutions often make the problems seem much intimidating than they are (not that they are easy). Most solutions involve a lot of “happenstance”, where someone tried something and it got an outcome that was useful, which they build on top of. This makes the solutions look crazy complicated (“how would i have ever thought of this!?”), when in reality they are Rube Goldberg machines built out of duct tape and baling wire.
I’ve only solved a few Google CTF problems, and one of them was the one I wrote, lol. That was nearly a decade ago though.
The best teams from Google CTF were invited to compete in Hackceler8, a combination of speedrunning and CTF, this year on a SEGA Genesis. Today are the finals, which are steamed and commented on YouTube. See this teaser [0]
[+] [-] binaryturtle|5 months ago|reply
[+] [-] pajko|5 months ago|reply
[+] [-] molticrystal|5 months ago|reply
[+] [-] rot22|5 months ago|reply
It’s almost quite literally your comment word for word.
[+] [-] Goofy_Coyote|5 months ago|reply
Unfortunately I’ve never been able to solve one, or even make meaningful progress.
[+] [-] underdeserver|5 months ago|reply
You should start with the Beginner's Quest CTF, by implementing a writeup's solution without looking at the writeup's actual code, and by playing other CTF style challenges such as Overthewire's Bandit.
https://capturetheflag.withgoogle.com/beginners-quest
https://overthewire.org/wargames/bandit/
[+] [-] strstr|5 months ago|reply
On top of that, the solutions often make the problems seem much intimidating than they are (not that they are easy). Most solutions involve a lot of “happenstance”, where someone tried something and it got an outcome that was useful, which they build on top of. This makes the solutions look crazy complicated (“how would i have ever thought of this!?”), when in reality they are Rube Goldberg machines built out of duct tape and baling wire.
I’ve only solved a few Google CTF problems, and one of them was the one I wrote, lol. That was nearly a decade ago though.
[+] [-] xxmarkuski|5 months ago|reply
[0] https://youtu.be/QQjxHBW7wSQ?si=ElmaUomuFnVx043T
[+] [-] hamonrye|5 months ago|reply
As I understand it, accumulating the tables is contingent on CTW.
[+] [-] krackers|5 months ago|reply
[+] [-] xemoc|5 months ago|reply
[+] [-] est|5 months ago|reply
I wonder if AIs could catch that.
[+] [-] bstsb|5 months ago|reply
> In practice, the vulnerability in this Google-zlib can be found quickly via fuzzing.