Mercurial > vanilla
annotate compression/unzip/CVE-2014-9636.patch @ 538:0f8451f3a1e9
terminals: use new FHS
| author | David Demelier <markand@malikania.fr> |
|---|---|
| date | Wed, 10 Apr 2019 20:24:00 +0200 |
| parents | 8c4366128400 |
| children |
| rev | line source |
|---|---|
|
452
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
1 From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
2 From: mancha <mancha1 AT zoho DOT com> |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
3 Date: Wed, 11 Feb 2015 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
4 Subject: Info-ZIP UnZip buffer overflow |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
5 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
6 By carefully crafting a corrupt ZIP archive with "extra fields" that |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
7 purport to have compressed blocks larger than the corresponding |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
8 uncompressed blocks in STORED no-compression mode, an attacker can |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
9 trigger a heap overflow that can result in application crash or |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
10 possibly have other unspecified impact. |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
11 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
12 This patch ensures that when extra fields use STORED mode, the |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
13 "compressed" and uncompressed block sizes match. |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
14 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
15 --- |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
16 extract.c | 8 ++++++++ |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
17 1 file changed, 8 insertions(+) |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
18 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
19 --- a/extract.c |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
20 +++ b/extract.c |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
21 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
22 ulg eb_ucsize; |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
23 uch *eb_ucptr; |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
24 int r; |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
25 + ush method; |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
26 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
27 if (compr_offset < 4) /* field is not compressed: */ |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
28 return PK_OK; /* do nothing and signal OK */ |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
29 @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
30 eb_size <= (compr_offset + EB_CMPRHEADLEN))) |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
31 return IZ_EF_TRUNC; /* no compressed data! */ |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
32 |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
33 + method = makeword(eb + (EB_HEADSIZE + compr_offset)); |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
34 + if ((method == STORED) && |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
35 + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
36 + return PK_ERR; /* compressed & uncompressed |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
37 + * should match in STORED |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
38 + * method */ |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
39 + |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
40 if ( |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
41 #ifdef INT_16BIT |
|
8c4366128400
compression/unzip: initial import, closes #1553
David Demelier <markand@malikania.fr>
parents:
diff
changeset
|
42 (((ulg)(extent)eb_ucsize) != eb_ucsize) || |