Added unit test against CVE-2018-25032.

Sample input from https://www.openwall.com/lists/oss-security/2022/03/26/1.

Co-authored-by: Tavis Ormandy <taviso@users.noreply.github.com>

CMakeLists.txt

@@ -1353,6 +1353,15 @@ if(ZLIB_ENABLE_TESTS)
             -P ${CMAKE_CURRENT_SOURCE_DIR}/cmake/run-and-redirect.cmake)
     endforeach()
 
+    add_test(NAME CVE-2018-25032
+        COMMAND ${CMAKE_COMMAND}
+        "-DTARGET=${MINIDEFLATE_COMMAND}"
+        "-DCOMPRESS_ARGS=-c;-k;-m;1;-w;-15;-s;4;-F"
+        "-DDECOMPRESS_ARGS=-c;-k;-d;-m;1;-w;-15"
+        -DGZIP_VERIFY=OFF
+        -DINPUT=${CMAKE_CURRENT_SOURCE_DIR}/test/CVE-2018-25032/test.txt
+        -P ${CMAKE_CURRENT_SOURCE_DIR}/cmake/test-compress.cmake)
+
     # Run tests targeting tools
     include(cmake/test-tools.cmake)
 

test/README.md

@@ -7,7 +7,8 @@ Contents
 |[CVE-2002-0059](https://nvd.nist.gov/vuln/detail/CVE-2002-0059)|inflateEnd to release memory more than once|
 |[CVE-2004-0797](https://nvd.nist.gov/vuln/detail/CVE-2004-0797)|Error handling in inflate and inflateBack causes crash|
 |[CVE-2005-1849](https://nvd.nist.gov/vuln/detail/CVE-2005-1849)|inftrees.h bug causes crash|
-|[CVE-2005-2096](https://nvd.nist.gov/vuln/detail/CVE-2005-2096)|Buffer overflow when incomplete code description
+|[CVE-2005-2096](https://nvd.nist.gov/vuln/detail/CVE-2005-2096)|Buffer overflow when incomplete code description|
+|[CVE-2018-25032](https://nvd.nist.gov/vuln/detail/CVE-2018-25032)|Memory corruption when compressing if the input has many distant matches.|
 |[GH-361](https://github.com/zlib-ng/zlib-ng/issues/361)|Test case for overlapping matches|
 |[GH-364](https://github.com/zlib-ng/zlib-ng/issues/364)|Test case for switching compression levels|
 |[GH-382](https://github.com/zlib-ng/zlib-ng/issues/382)|Test case for deflateEnd returning -3 in deflate quick|