Not the author. The first sentence of the article does say this “webz is a zlib exploitation challenge from Google CTF 2025. The Google-zlib implementation provided in the challenge is not upstream; it’s a version with an arbitrary patch applied.”It’s almost quite literally your comment word for word.

Crafted for the Google CTF. Here&#x27;s the challenge:<a href="https:&#x2F;&#x2F;capturetheflag.withgoogle.com&#x2F;challenges&#x2F;pwn-webz" rel="nofollow">https:&#x2F;&#x2F;capturetheflag.withgoogle.com&#x2F;challenges&#x2F;pwn-webz</a>There&#x27;s an attachment link, which I believe contains the patch (I haven&#x27;t looked though):<a href="https:&#x2F;&#x2F;storage.googleapis.com&#x2F;2025-attachments&#x2F;193040ef9e60cda29d43988bced206b49051516bb63ba39b7cf270437889b146994d84440a9725e687164a0cae5e5cae17f8af46aae8d50f22e3d179d13e9e47.zip" rel="nofollow">https:&#x2F;&#x2F;storage.googleapis.com&#x2F;2025-attachments&#x2F;193040ef9e60...</a>

Seems like it&#x27;s not just arbitrary, but crafted. Could not find it anywhere, for example, searching for &quot;DISTS so we can remove overflow checks from&quot; (with quotes ofc) brings up just this site, both in Google and Bing. It has typos, btw.
It would be another issue if it came from <a href="https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;HEAD&#x2F;third_party&#x2F;zlib&#x2F;patches&#x2F;" rel="nofollow">https:&#x2F;&#x2F;chromium.googlesource.com&#x2F;chromium&#x2F;src&#x2F;+&#x2F;HEAD&#x2F;third_...</a>, but that&#x27;s not the case.

Many CTF challenges use existing real vulnerabilities, so that alone may not be sufficient.

The original title included &quot;[CTF] Google CTF 2025&quot; which would strongly hint(CTF=capture the flag) at the possibility of an artificial setting. That probably should of been included in the submission.

It should mention the bug only exists after some arbitrary &quot;patch&quot; was introduced. As the current title makes it sounds like the actual zlib has a security issue.

Great resources and sound advice.
Thank you, will take a look at the beginner’s quest for sure.
Also I definitely will follow the implementation advice. It just clicked. It’ll geerate a ton of aha moments for sure.I’ve done Bandit years ago and many other wargames and ctfs (htb, defcon etc), and still doing ctfs every Friday, been working in the field for over a decade, and have 3 CVEs (cvss 7+, one 9) to my name. I think I’m missing something else entirely when it comes to Google CTF.Maybe I need more theoretical knowledge (is that the right word here? By theoretical I mean more around pure cs and math) vs hands on real world (as in day to day) vulnerability research and exploitation.Would love to hear some feedback to get better.
There’s always more to learn in all directions.

Don&#x27;t give up. You can do it.You should start with the Beginner&#x27;s Quest CTF, by implementing a writeup&#x27;s solution without looking at the writeup&#x27;s actual code, and by playing other CTF style challenges such as Overthewire&#x27;s Bandit.<a href="https:&#x2F;&#x2F;capturetheflag.withgoogle.com&#x2F;beginners-quest" rel="nofollow">https:&#x2F;&#x2F;capturetheflag.withgoogle.com&#x2F;beginners-quest</a><a href="https:&#x2F;&#x2F;overthewire.org&#x2F;wargames&#x2F;bandit&#x2F;" rel="nofollow">https:&#x2F;&#x2F;overthewire.org&#x2F;wargames&#x2F;bandit&#x2F;</a>

Legitimately, they are often too hard. Balancing the problems is quite challenging.On top of that, the solutions often make the problems seem much intimidating than they are (not that they are easy). Most solutions involve a lot of “happenstance”, where someone tried something and it got an outcome that was useful, which they build on top of. This makes the solutions look crazy complicated (“how would i have ever thought of this!?”), when in reality they are Rube Goldberg machines built out of duct tape and baling wire.I’ve only solved a few Google CTF problems, and one of them was the one I wrote, lol. That was nearly a decade ago though.

Google CTFs are fascinating.
Amazing questions, I always enjoy the write ups.Unfortunately I’ve never been able to solve one, or even make meaningful progress.

The challenge does say &quot;Maybe the WebP 0day inspired you too&quot; so I think you are dead on

Maybe I&#x27;m misgeneralizing, but this seems very similar in flavor to the webp vulnerability a few years back

&gt; LZ77 decoding. This actually triggers the bug and causes integer overflow.As I understand it, accumulating the tables is contingent on CTW.

apparently you don&#x27;t even need AI!&gt; In practice, the vulnerability in this Google-zlib can be found quickly via fuzzing.

Good god that&#x27;s a wild read.I wonder if AIs could catch that.

Google CTF 2025 – webz : Exploiting zlib's Huffman Code Table