Sortix libz

Sortix libz is a cleaned up and modernized fork of the zlib deflate compression library.

This is Sortix libz. This is not zlib. This is a fork of zlib.

libz is a general purpose data compression library. The data format used by libz is described by RFC 1950 (zlib format), RFC 1951 (deflate format), and RFC 1952 (gzip format).

Sortix libz is developed as part of the Sortix operating system by Jonas 'Sortie' Termansen and contributors.

This libz has been cleaned up:

• Support for anything but modern Unix operating systems has been deleted.
• Support for 16-bit segmented platforms has been deleted.
• K&R function prototypes and declarations have been upgraded to ISO C ones.
• Mysterious work-arounds for broken toolchains and operating systems have been deleted.
• Questionable abstractions like local, z_const, and Z_NULL have been replaced with static, const, and NULL.
• Unsafe standard library interfaces are no longer used if safe standard library interfaces are missing. The safe ones are used unconditionally
• Needless non-standard types have been replaced with standard ones.
• The standard C library is assumed to be present and compliant.
• Useless files have been deleted from the source distributions.
• (And more)

The result is a more secure and compact libz with focus on correctness, proper portability, auditability, simplification and opportunities to optimize.

libz is an ABI-compatible and API-compatible drop-in replacement for zlib 1.2.8 with a superior standard build system. libz is portable to Linux, the BSD systems, Haiku, Hurd, Minix, macOS, Sortix, and even unknown operating systems assuming they behave like a standard Unix. Like zlib, libz does not contain vendor-specific patches and might not be a perfect replacement for your system libz (if it is patched).

The zlib.h API contains many design flaws that are unfixable. The result is that it is tricky to use the API correctly, especially for large files and buffers. Much application code using the zlib.h API is flawed and needs a serious audit.

Source Code

This library is licensed under the zlib license. See zlib.h for details.

The latest release is libz-1.2.8.2025.03.07.tar.gz.

Always verify you are viewing this page over HTTPS and that libz-1.2.8.2025.03.07.tar.gz has the correct cryptographic SHA256 hash by running:

sha256sum -c << EOF
3cb8f4e57ff12325e81cebeb8bdac71064f8f2251b517ba74a1269b2a1caab81  libz-1.2.8.2025.03.07.tar.gz
EOF

Older releases can be found in the release directory.

libz-1.2.8.2025.03.07

This release is a security patch release that also fixes minor build issues.

• CVE-2023-45853: libz was not affected.
• (from zlib) CVE-2022-37434: Fix a bug when getting a gzip header extra field with inflate().
• (from zlib) CVE-2018-25032: Fix a bug that can crash deflate on some input when using Z_FIXED.
• (from zlib) CVE-2016-9843: Avoid pre-decrement of pointer in big-endian CRC calculation.
• CVE-2016-9842: Document libz was affected until libz-1.2.8.2015.08.23.
• CVE-2016-9841: libz was not affected.
• (from zlib) CVE-2016-9840: Remove offset pointer optimization in inftrees.c.
• Add SECURITY file.
• Fix linking not using LDFLAGS.
• Fix command line parsing with expr(1) failing if the parameter is 0.

1.2.8.2015.12.26

• (from zlib) Add the _DARWIN_C_SOURCE feature macro.
• (from zlib) Fix bug that accepted invalid zlib header when windowBits is zero.
• (from zlib) Clean up portability for shifts and integer sizes.
• (from zlib) Avoid shifts of negative values inflateMark().
• (from zlib) Use const for static tree descriptions in deflate.
• (from zlib) Align deflateParams() and its documentation in zlib.h.
• (from zlib) Clarify deflateReset() documentation.
• (from zlib) Avoid uninitialized access by gzclose_w().
• (from zlib) Avoid use of DEBUG macro -- change to ZLIB_DEBUG.
• (from zlib) Fix inflateInit2() bug when windowBits is 16 or 32.
• (from zlib) Add comment about not using windowBits of 8 for deflate().
• (from zlib) Avoid left shift of a negative value in flush rank calculation.
• (from zlib) Note in zlib.h that compress() uses Z_DEFAULT_COMPRESSION.
• (from zlib) Fix uncompress() to work on lengths more than a maximum unsigned.
• (from zlib) Fix compress() to work on lengths more than a maximum unsigned.
• Remove uses of ZLIB_INTERNAL replaced by Z_INSIDE_LIBZ.
• Fix inconsistent pointer style.
• Fix incorrect usage of attribute visibility hidden.
• Move system compiler works check out of macro.
• Fix typo about large file support in zlib.h.
• Remove support for syncing header when cross-compiling.
• Default includeexecdir to includedir if no exec-prefix.
• Saturate instead of overflow in deflateBound and compressBound.

1.2.8.2015.08.23

• Add the _DARWIN_C_SOURCE feature macro.
• Fix configure CPPFLAGS_FOR_BUILD lacking feature macros.
• Fix broken includeexecdir in z.pc cflags.
• Fix configure check_end quoting and whitespace.

1.2.8.2015.05.20

• Fix libz soname.
• Combine some configure script checks.
• Add option checking and operand variable assignment.
• Fix configure script not unsetting undesirable variables.
• Add --sharestatedir and --oldincludedir compatibility.

1.2.8.2015.05.19

• Fix cross-compilation detection logic.
• Delete unnecessary and useless files.
• Add endian detection fallbacks.

1.2.8.2015.04.19

• Initial release of the Sortix libz fork of zlib.
• Delete unnecessary and useless files.
• Remove support of irrelevant operating systems.
• Convert code to modern standard C.
• Adopt safer coding practices.
• (And more)

Development

libz is maintained in a git repository on gitlab.

Please check my work. I supply a script that can help you:

# Ensure diff-against-zlib.sh lists all the files that came from zlib. List
# all the new files that are new and check them separately.
sh ./diff-against-zlib.sh /path/to/zlib-1.2.8

This gives you a diff of my changes to the zlib release I diverged from. My original changes were deliberately done so this diff is reasonably readable without noise, but it's still big.

Rationale

Please note the purpose of this fork is not to replace or discredit zlib. The zlib library was written in another age where robust coding practices were not as widespread and the common operating systems were often of low quality. The zlib library remains truly useful to many severely limited embedded platforms and other obscure platforms. As such, by popular demand it works on almost everything imaginable. This is fine.

The real issue is that it fits in poorly with modern operating systems, where we can do better with simpler, clearer and more robust coding practices, where we can assume the toolchains actually work and implement standard C. The coding style of zlib can be obscure and hard to audit. It doesn't take advantage of core standard library responsibilities such as fixed size integers and endian detection. It feels odd to compile a modern operating system from scratch and find such a poorly-integrated library at the core of the dependency graph.

This fork cleans up the official zlib to integrate it better with modern C environments. Not everyone has one of those and they can't use this fork. That's okay: They can use zlib instead. Relevant upstream work will be continuously merged, this is no big concern as zlib is largely in maintenance mode. It's unlikely that zlib will ever adopt the greater changes in this fork. Individual defects found while cleaning and auditing the code should be easily upstreamable though.

Contact

libz development is coordinated in #libz on irc.libera.chat IRC.

Bugs can be filed at the issue tracker.

Jonas 'Sortie' Termansen can be contacted via his website.

Acknowledgements

zlib was written by Jean-loup Gailly (compression) and Mark Adler (decompression). libz is forked from zlib.

This page is best viewed in a browser compiled with a K&R compiler.

uch uchf ush usfh ulg
local z_const OF((subvert))
zlib standard c

old redundancy
noise kindle forking fire
code disappears

a libz forked
libz is not zlib
compressed zlib