Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From: sms |
| 2 | Subject: Fix CVE-2014-8140: out-of-bounds write issue in test_compr_eb() |
| 3 | Bug-Debian: http://bugs.debian.org/773722 |
| 4 | |
| 5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| 6 | |
| 7 | Upstream-Status: Backport |
Patrick Williams | d8c66bc | 2016-06-20 12:57:21 -0500 | [diff] [blame] | 8 | CVE: CVE-2014-8140 |
Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 9 | |
| 10 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| 11 | |
| 12 | --- a/extract.c |
| 13 | +++ b/extract.c |
| 14 | @@ -2232,10 +2232,17 @@ |
| 15 | if (compr_offset < 4) /* field is not compressed: */ |
| 16 | return PK_OK; /* do nothing and signal OK */ |
| 17 | |
| 18 | + /* Return no/bad-data error status if any problem is found: |
| 19 | + * 1. eb_size is too small to hold the uncompressed size |
| 20 | + * (eb_ucsize). (Else extract eb_ucsize.) |
| 21 | + * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS. |
| 22 | + * 3. eb_ucsize is positive, but eb_size is too small to hold |
| 23 | + * the compressed data header. |
| 24 | + */ |
| 25 | if ((eb_size < (EB_UCSIZE_P + 4)) || |
| 26 | - ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L && |
| 27 | - eb_size <= (compr_offset + EB_CMPRHEADLEN))) |
| 28 | - return IZ_EF_TRUNC; /* no compressed data! */ |
| 29 | + ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) || |
| 30 | + ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) |
| 31 | + return IZ_EF_TRUNC; /* no/bad compressed data! */ |
| 32 | |
| 33 | if ( |
| 34 | #ifdef INT_16BIT |