1 Fix for CVE-2016-1541. |
|
2 |
|
3 More information at: |
|
4 |
|
5 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1541 |
|
6 |
|
7 Patch based on committed changes at: |
|
8 |
|
9 https://github.com/libarchive/libarchive/commit/d0331e8e5b05b475f20b1f3101fe1ad772d7e7e7 |
|
10 |
|
11 and adjusted to work with the version of libarchive we currently have. |
|
12 |
|
13 --- libarchive-3.1.2/libarchive/archive_read_support_format_zip.c.orig 2016-05-25 07:28:45.920088332 -0700 |
|
14 +++ libarchive-3.1.2/libarchive/archive_read_support_format_zip.c 2016-05-25 07:32:19.394552995 -0700 |
|
15 @@ -560,6 +560,11 @@ |
|
16 |
|
17 switch(rsrc->compression) { |
|
18 case 0: /* No compression. */ |
|
19 + if (rsrc->uncompressed_size != rsrc->compressed_size) { |
|
20 + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, |
|
21 + "Malformed OS X metadata entry: inconsistent size"); |
|
22 + return (ARCHIVE_FATAL); |
|
23 + } |
|
24 #ifdef HAVE_ZLIB_H |
|
25 case 8: /* Deflate compression. */ |
|
26 #endif |
|
27 @@ -581,6 +586,13 @@ |
|
28 return (ARCHIVE_WARN); |
|
29 } |
|
30 |
|
31 + if (rsrc->compressed_size > (4 * 1024 * 1024)) { |
|
32 + archive_set_error(&a->archive, ARCHIVE_ERRNO_FILE_FORMAT, |
|
33 + "Mac metadata is too large: %jd > 4M bytes", |
|
34 + (intmax_t)rsrc->compressed_size); |
|
35 + return (ARCHIVE_WARN); |
|
36 + } |
|
37 + |
|
38 metadata = malloc((size_t)rsrc->uncompressed_size); |
|
39 if (metadata == NULL) { |
|
40 archive_set_error(&a->archive, ENOMEM, |
|
41 @@ -619,6 +631,8 @@ |
|
42 bytes_avail = remaining_bytes; |
|
43 switch(rsrc->compression) { |
|
44 case 0: /* No compression. */ |
|
45 + if ((size_t)bytes_avail > metadata_bytes) |
|
46 + bytes_avail = metadata_bytes; |
|
47 memcpy(mp, p, bytes_avail); |
|
48 bytes_used = (size_t)bytes_avail; |
|
49 metadata_bytes -= bytes_used; |
|