Mercurial > vanilla

comparison compression/unzip/CVE-2014-9636.patch @ 452:8c4366128400

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
compression/unzip: initial import, closes #1553
author David Demelier <markand@malikania.fr>
date Sat, 06 Apr 2019 08:13:23 +0200
parents
children
comparison
equal deleted inserted replaced
451:bcfdaa03daa2 452:8c4366128400
1 From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
2 From: mancha <mancha1 AT zoho DOT com>
3 Date: Wed, 11 Feb 2015
4 Subject: Info-ZIP UnZip buffer overflow
5
6 By carefully crafting a corrupt ZIP archive with "extra fields" that
7 purport to have compressed blocks larger than the corresponding
8 uncompressed blocks in STORED no-compression mode, an attacker can
9 trigger a heap overflow that can result in application crash or
10 possibly have other unspecified impact.
11
12 This patch ensures that when extra fields use STORED mode, the
13 "compressed" and uncompressed block sizes match.
14
15 ---
16 extract.c | 8 ++++++++
17 1 file changed, 8 insertions(+)
18
19 --- a/extract.c
20 +++ b/extract.c
21 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
22 ulg eb_ucsize;
23 uch *eb_ucptr;
24 int r;
25 + ush method;
26
27 if (compr_offset < 4) /* field is not compressed: */
28 return PK_OK; /* do nothing and signal OK */
29 @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
30 eb_size <= (compr_offset + EB_CMPRHEADLEN)))
31 return IZ_EF_TRUNC; /* no compressed data! */
32
33 + method = makeword(eb + (EB_HEADSIZE + compr_offset));
34 + if ((method == STORED) &&
35 + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
36 + return PK_ERR; /* compressed & uncompressed
37 + * should match in STORED
38 + * method */
39 +
40 if (
41 #ifdef INT_16BIT
42 (((ulg)(extent)eb_ucsize) != eb_ucsize) ||