Mercurial > vanilla
comparison compression/unzip/CVE-2014-9636.patch @ 452:8c4366128400
compression/unzip: initial import, closes #1553
author | David Demelier <markand@malikania.fr> |
---|---|
date | Sat, 06 Apr 2019 08:13:23 +0200 |
parents | |
children |
comparison
equal
deleted
inserted
replaced
451:bcfdaa03daa2 | 452:8c4366128400 |
---|---|
1 From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 | |
2 From: mancha <mancha1 AT zoho DOT com> | |
3 Date: Wed, 11 Feb 2015 | |
4 Subject: Info-ZIP UnZip buffer overflow | |
5 | |
6 By carefully crafting a corrupt ZIP archive with "extra fields" that | |
7 purport to have compressed blocks larger than the corresponding | |
8 uncompressed blocks in STORED no-compression mode, an attacker can | |
9 trigger a heap overflow that can result in application crash or | |
10 possibly have other unspecified impact. | |
11 | |
12 This patch ensures that when extra fields use STORED mode, the | |
13 "compressed" and uncompressed block sizes match. | |
14 | |
15 --- | |
16 extract.c | 8 ++++++++ | |
17 1 file changed, 8 insertions(+) | |
18 | |
19 --- a/extract.c | |
20 +++ b/extract.c | |
21 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si | |
22 ulg eb_ucsize; | |
23 uch *eb_ucptr; | |
24 int r; | |
25 + ush method; | |
26 | |
27 if (compr_offset < 4) /* field is not compressed: */ | |
28 return PK_OK; /* do nothing and signal OK */ | |
29 @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si | |
30 eb_size <= (compr_offset + EB_CMPRHEADLEN))) | |
31 return IZ_EF_TRUNC; /* no compressed data! */ | |
32 | |
33 + method = makeword(eb + (EB_HEADSIZE + compr_offset)); | |
34 + if ((method == STORED) && | |
35 + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) | |
36 + return PK_ERR; /* compressed & uncompressed | |
37 + * should match in STORED | |
38 + * method */ | |
39 + | |
40 if ( | |
41 #ifdef INT_16BIT | |
42 (((ulg)(extent)eb_ucsize) != eb_ucsize) || |