0020-Fix-buffer-overflow-in-password-protected-zip-archiv.patch (1452B)
1 From d8d3475850d883e90d79086293279149d42658fd Mon Sep 17 00:00:00 2001 2 From: Karol Babioch <kbabioch@suse.com> 3 Date: Sat, 15 Jun 2019 18:13:11 -0700 4 Subject: [PATCH] Fix buffer overflow in password protected zip archives 5 6 --- 7 fileio.c | 14 +++++++++++++- 8 1 file changed, 13 insertions(+), 1 deletion(-) 9 10 diff --git a/fileio.c b/fileio.c 11 index 36bfea3..7c21ed0 100644 12 --- a/fileio.c 13 +++ b/fileio.c 14 @@ -1582,6 +1582,10 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn) 15 int r = IZ_PW_ENTERED; 16 char *m; 17 char *prompt; 18 + char *zfnf; 19 + char *efnf; 20 + size_t zfnfl; 21 + int isOverflow; 22 23 #ifndef REENTRANT 24 /* tell picky compilers to shut up about "unused variable" warnings */ 25 @@ -1590,7 +1594,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf, size, zfn, efn) 26 27 if (*rcnt == 0) { /* First call for current entry */ 28 *rcnt = 2; 29 - if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) { 30 + zfnf = FnFilter1(zfn); 31 + efnf = FnFilter2(efn); 32 + zfnfl = strlen(zfnf); 33 + isOverflow = TRUE; 34 + if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf)) 35 + { 36 + isOverflow = FALSE; 37 + } 38 + if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) { 39 sprintf(prompt, LoadFarString(PasswPrompt), 40 FnFilter1(zfn), FnFilter2(efn)); 41 m = prompt; 42 -- 43 2.20.1 44