| From: sms |
| Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() |
| Bug-Debian: http://bugs.debian.org/773722 |
| |
| The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| |
| Upstream-Status: Backport |
| CVE: CVE-2014-8141 |
| |
| Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| |
| |
| --- a/fileio.c |
| +++ b/fileio.c |
| @@ -176,6 +176,8 @@ |
| #endif |
| static ZCONST char Far ExtraFieldTooLong[] = |
| "warning: extra field too long (%d). Ignoring...\n"; |
| +static ZCONST char Far ExtraFieldCorrupt[] = |
| + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; |
| |
| #ifdef WINDLL |
| static ZCONST char Far DiskFullQuery[] = |
| @@ -2295,7 +2297,12 @@ |
| if (readbuf(__G__ (char *)G.extra_field, length) == 0) |
| return PK_EOF; |
| /* Looks like here is where extra fields are read */ |
| - getZip64Data(__G__ G.extra_field, length); |
| + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) |
| + { |
| + Info(slide, 0x401, ((char *)slide, |
| + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); |
| + error = PK_WARN; |
| + } |
| #ifdef UNICODE_SUPPORT |
| G.unipath_filename = NULL; |
| if (G.UzO.U_flag < 2) { |
| --- a/process.c |
| +++ b/process.c |
| @@ -1,5 +1,5 @@ |
| /* |
| - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. |
| + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. |
| |
| See the accompanying file LICENSE, version 2009-Jan-02 or later |
| (the contents of which are also included in unzip.h) for terms of use. |
| @@ -1901,48 +1901,82 @@ |
| and a 4-byte version of disk start number. |
| Sets both local header and central header fields. Not terribly clever, |
| but it means that this procedure is only called in one place. |
| + |
| + 2014-12-05 SMS. |
| + Added checks to ensure that enough data are available before calling |
| + makeint64() or makelong(). Replaced various sizeof() values with |
| + simple ("4" or "8") constants. (The Zip64 structures do not depend |
| + on our variable sizes.) Error handling is crude, but we should now |
| + stay within the buffer. |
| ---------------------------------------------------------------------------*/ |
| |
| +#define Z64FLGS 0xffff |
| +#define Z64FLGL 0xffffffff |
| + |
| if (ef_len == 0 || ef_buf == NULL) |
| return PK_COOL; |
| |
| Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", |
| ef_len)); |
| |
| - while (ef_len >= EB_HEADSIZE) { |
| + while (ef_len >= EB_HEADSIZE) |
| + { |
| eb_id = makeword(EB_ID + ef_buf); |
| eb_len = makeword(EB_LEN + ef_buf); |
| |
| - if (eb_len > (ef_len - EB_HEADSIZE)) { |
| - /* discovered some extra field inconsistency! */ |
| + if (eb_len > (ef_len - EB_HEADSIZE)) |
| + { |
| + /* Extra block length exceeds remaining extra field length. */ |
| Trace((stderr, |
| "getZip64Data: block length %u > rest ef_size %u\n", eb_len, |
| ef_len - EB_HEADSIZE)); |
| break; |
| } |
| - if (eb_id == EF_PKSZ64) { |
| - |
| + if (eb_id == EF_PKSZ64) |
| + { |
| int offset = EB_HEADSIZE; |
| |
| - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ |
| - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); |
| - offset += sizeof(G.crec.ucsize); |
| + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) |
| + { |
| + if (offset+ 8 > ef_len) |
| + return PK_ERR; |
| + |
| + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); |
| + offset += 8; |
| } |
| - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ |
| - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); |
| - offset += sizeof(G.crec.csize); |
| + |
| + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) |
| + { |
| + if (offset+ 8 > ef_len) |
| + return PK_ERR; |
| + |
| + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); |
| + offset += 8; |
| } |
| - if (G.crec.relative_offset_local_header == 0xffffffff){ |
| + |
| + if (G.crec.relative_offset_local_header == Z64FLGL) |
| + { |
| + if (offset+ 8 > ef_len) |
| + return PK_ERR; |
| + |
| G.crec.relative_offset_local_header = makeint64(offset + ef_buf); |
| - offset += sizeof(G.crec.relative_offset_local_header); |
| + offset += 8; |
| } |
| - if (G.crec.disk_number_start == 0xffff){ |
| + |
| + if (G.crec.disk_number_start == Z64FLGS) |
| + { |
| + if (offset+ 4 > ef_len) |
| + return PK_ERR; |
| + |
| G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); |
| - offset += sizeof(G.crec.disk_number_start); |
| + offset += 4; |
| } |
| +#if 0 |
| + break; /* Expect only one EF_PKSZ64 block. */ |
| +#endif /* 0 */ |
| } |
| |
| - /* Skip this extra field block */ |
| + /* Skip this extra field block. */ |
| ef_buf += (eb_len + EB_HEADSIZE); |
| ef_len -= (eb_len + EB_HEADSIZE); |
| } |