|
1 Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945 |
|
2 More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450 |
|
3 |
|
4 From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 |
|
5 From: mancha <mancha1 AT zoho DOT com> |
|
6 Date: Mon, 3 Nov 2014 |
|
7 Subject: Info-ZIP UnZip buffer overflow |
|
8 |
|
9 By carefully crafting a corrupt ZIP archive with "extra fields" that |
|
10 purport to have compressed blocks larger than the corresponding |
|
11 uncompressed blocks in STORED no-compression mode, an attacker can |
|
12 trigger a heap overflow that can result in application crash or |
|
13 possibly have other unspecified impact. |
|
14 |
|
15 This patch ensures that when extra fields use STORED mode, the |
|
16 "compressed" and uncompressed block sizes match. |
|
17 |
|
18 --- |
|
19 extract.c | 8 ++++++++ |
|
20 1 file changed, 8 insertions(+) |
|
21 |
|
22 --- a/extract.c |
|
23 +++ b/extract.c |
|
24 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si |
|
25 ulg eb_ucsize; |
|
26 uch *eb_ucptr; |
|
27 int r; |
|
28 + ush method; |
|
29 |
|
30 if (compr_offset < 4) /* field is not compressed: */ |
|
31 return PK_OK; /* do nothing and signal OK */ |
|
32 @@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si |
|
33 eb_size <= (compr_offset + EB_CMPRHEADLEN))) |
|
34 return IZ_EF_TRUNC; /* no compressed data! */ |
|
35 |
|
36 + method = makeword(eb + (EB_HEADSIZE + compr_offset)); |
|
37 + if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) |
|
38 + return PK_ERR; /* compressed & uncompressed |
|
39 + * should match in STORED |
|
40 + * method */ |
|
41 + |
|
42 if ( |
|
43 #ifdef INT_16BIT |
|
44 (((ulg)(extent)eb_ucsize) != eb_ucsize) || |