0012-Info-ZIP-UnZip-buffer-overflow.patch (1834B)
1 From 14342a8a5ddafa76a8aa9800da078d415f50af71 Mon Sep 17 00:00:00 2001 2 From: mancha <mancha1@zoho.com> 3 Date: Wed, 11 Feb 2015 12:27:06 +0000 4 Subject: [PATCH] Info-ZIP UnZip buffer overflow 5 6 By carefully crafting a corrupt ZIP archive with "extra fields" that 7 purport to have compressed blocks larger than the corresponding 8 uncompressed blocks in STORED no-compression mode, an attacker can 9 trigger a heap overflow that can result in application crash or 10 possibly have other unspecified impact. 11 12 This patch ensures that when extra fields use STORED mode, the 13 "compressed" and uncompressed block sizes match. 14 --- 15 extract.c | 10 ++++++++++ 16 1 file changed, 10 insertions(+) 17 18 diff --git a/extract.c b/extract.c 19 index ec31e60..f951b9f 100644 20 --- a/extract.c 21 +++ b/extract.c 22 @@ -2228,6 +2228,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) 23 ulg eb_ucsize; 24 uch *eb_ucptr; 25 int r; 26 + ush eb_compr_method; 27 28 if (compr_offset < 4) /* field is not compressed: */ 29 return PK_OK; /* do nothing and signal OK */ 30 @@ -2244,6 +2245,15 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata) 31 ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) 32 return IZ_EF_TRUNC; /* no/bad compressed data! */ 33 34 + /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS. 35 + * For STORE method, compressed and uncompressed sizes must agree. 36 + * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 37 + */ 38 + eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset)); 39 + if ((eb_compr_method == STORED) && 40 + (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize)) 41 + return PK_ERR; 42 + 43 if ( 44 #ifdef INT_16BIT 45 (((ulg)(extent)eb_ucsize) != eb_ucsize) || 46 -- 47 2.20.1 48