Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From: sms |
| 2 | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow |
| 3 | Bug-Debian: http://bugs.debian.org/773722 |
| 4 | |
| 5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | |
| 9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| 10 | |
| 11 | --- a/extract.c |
| 12 | +++ b/extract.c |
| 13 | @@ -298,6 +298,8 @@ |
| 14 | #ifndef SFX |
| 15 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ |
| 16 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; |
| 17 | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ |
| 18 | + EF block length (%u bytes) invalid (< %d)\n"; |
| 19 | static ZCONST char Far InvalidComprDataEAs[] = |
| 20 | " invalid compressed data for EAs\n"; |
| 21 | # if (defined(WIN32) && defined(NTSD_EAS)) |
| 22 | @@ -2023,7 +2025,8 @@ |
| 23 | ebID = makeword(ef); |
| 24 | ebLen = (unsigned)makeword(ef+EB_LEN); |
| 25 | |
| 26 | - if (ebLen > (ef_len - EB_HEADSIZE)) { |
| 27 | + if (ebLen > (ef_len - EB_HEADSIZE)) |
| 28 | + { |
| 29 | /* Discovered some extra field inconsistency! */ |
| 30 | if (uO.qflag) |
| 31 | Info(slide, 1, ((char *)slide, "%-22s ", |
| 32 | @@ -2158,11 +2161,19 @@ |
| 33 | } |
| 34 | break; |
| 35 | case EF_PKVMS: |
| 36 | - if (makelong(ef+EB_HEADSIZE) != |
| 37 | + if (ebLen < 4) |
| 38 | + { |
| 39 | + Info(slide, 1, |
| 40 | + ((char *)slide, LoadFarString(TooSmallEBlength), |
| 41 | + ebLen, 4)); |
| 42 | + } |
| 43 | + else if (makelong(ef+EB_HEADSIZE) != |
| 44 | crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), |
| 45 | (extent)(ebLen-4))) |
| 46 | + { |
| 47 | Info(slide, 1, ((char *)slide, |
| 48 | LoadFarString(BadCRC_EAs))); |
| 49 | + } |
| 50 | break; |
| 51 | case EF_PKW32: |
| 52 | case EF_PKUNIX: |