1 Patch source: http://www.info-zip.org/phpBB3/download/file.php?id=95&sid=ec5c7dac6dd48459f3be4effa1a30945

     2 More info: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450

     3 

     4 From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001

     5 From: mancha <mancha1 AT zoho DOT com>

     6 Date: Mon, 3 Nov 2014

     7 Subject: Info-ZIP UnZip buffer overflow

     8 

     9 By carefully crafting a corrupt ZIP archive with "extra fields" that

    10 purport to have compressed blocks larger than the corresponding

    11 uncompressed blocks in STORED no-compression mode, an attacker can

    12 trigger a heap overflow that can result in application crash or

    13 possibly have other unspecified impact.

    14 

    15 This patch ensures that when extra fields use STORED mode, the

    16 "compressed" and uncompressed block sizes match.

    17 

    18 ---

    19  extract.c |    8 ++++++++

    20  1 file changed, 8 insertions(+)

    21 

    22 --- a/extract.c

    23 +++ b/extract.c

    24 @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si

    25      ulg eb_ucsize;

    26      uch *eb_ucptr;

    27      int r;

    28 +    ush method;

    29  

    30      if (compr_offset < 4)                /* field is not compressed: */

    31          return PK_OK;                    /* do nothing and signal OK */

    32 @@ -2226,6 +2227,12 @@ static int test_compr_eb(__G__ eb, eb_si

    33           eb_size <= (compr_offset + EB_CMPRHEADLEN)))

    34          return IZ_EF_TRUNC;               /* no compressed data! */

    35  

    36 +    method = makeword(eb + (EB_HEADSIZE + compr_offset));

    37 +    if ((method == STORED) && (eb_size - compr_offset != eb_ucsize))

    38 +	return PK_ERR;			  /* compressed & uncompressed

    39 +					   * should match in STORED

    40 +					   * method */

    41 +

    42      if (

    43  #ifdef INT_16BIT

    44          (((ulg)(extent)eb_ucsize) != eb_ucsize) ||