Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From: sms |
| 2 | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow |
| 3 | Bug-Debian: http://bugs.debian.org/773722 |
| 4 | |
| 5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| 6 | |
| 7 | Upstream-Status: Backport |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 8 | CVE: CVE-2014-8139 |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 9 | |
| 10 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| 11 | |
| 12 | --- a/extract.c |
| 13 | +++ b/extract.c |
| 14 | @@ -298,6 +298,8 @@ |
| 15 | #ifndef SFX |
| 16 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ |
| 17 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; |
| 18 | + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ |
| 19 | + EF block length (%u bytes) invalid (< %d)\n"; |
| 20 | static ZCONST char Far InvalidComprDataEAs[] = |
| 21 | " invalid compressed data for EAs\n"; |
| 22 | # if (defined(WIN32) && defined(NTSD_EAS)) |
| 23 | @@ -2023,7 +2025,8 @@ |
| 24 | ebID = makeword(ef); |
| 25 | ebLen = (unsigned)makeword(ef+EB_LEN); |
| 26 | |
| 27 | - if (ebLen > (ef_len - EB_HEADSIZE)) { |
| 28 | + if (ebLen > (ef_len - EB_HEADSIZE)) |
| 29 | + { |
| 30 | /* Discovered some extra field inconsistency! */ |
| 31 | if (uO.qflag) |
| 32 | Info(slide, 1, ((char *)slide, "%-22s ", |
| 33 | @@ -2158,11 +2161,19 @@ |
| 34 | } |
| 35 | break; |
| 36 | case EF_PKVMS: |
| 37 | - if (makelong(ef+EB_HEADSIZE) != |
| 38 | + if (ebLen < 4) |
| 39 | + { |
| 40 | + Info(slide, 1, |
| 41 | + ((char *)slide, LoadFarString(TooSmallEBlength), |
| 42 | + ebLen, 4)); |
| 43 | + } |
| 44 | + else if (makelong(ef+EB_HEADSIZE) != |
| 45 | crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), |
| 46 | (extent)(ebLen-4))) |
| 47 | + { |
| 48 | Info(slide, 1, ((char *)slide, |
| 49 | LoadFarString(BadCRC_EAs))); |
| 50 | + } |
| 51 | break; |
| 52 | case EF_PKW32: |
| 53 | case EF_PKUNIX: |