Brad Bishop | 6e60e8b | 2018-02-01 10:27:11 -0500 | [diff] [blame] | 1 | From: "Steven M. Schweda" <sms@antinode.info> |
| 2 | Subject: Fix CVE-2016-9844, buffer overflow in zipinfo |
| 3 | Bug-Debian: https://bugs.debian.org/847486 |
| 4 | Bug-Ubuntu: https://launchpad.net/bugs/1643750 |
| 5 | X-Debian-version: 6.0-21 |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | CVE: CVE-2016-9844 |
| 9 | Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com> |
| 10 | |
| 11 | --- a/zipinfo.c |
| 12 | +++ b/zipinfo.c |
| 13 | @@ -1921,7 +1921,18 @@ |
| 14 | ush dnum=(ush)((G.crec.general_purpose_bit_flag>>1) & 3); |
| 15 | methbuf[3] = dtype[dnum]; |
| 16 | } else if (methnum >= NUM_METHODS) { /* unknown */ |
| 17 | - sprintf(&methbuf[1], "%03u", G.crec.compression_method); |
| 18 | + /* 2016-12-05 SMS. |
| 19 | + * https://launchpad.net/bugs/1643750 |
| 20 | + * Unexpectedly large compression methods overflow |
| 21 | + * &methbuf[]. Use the old, three-digit decimal format |
| 22 | + * for values which fit. Otherwise, sacrifice the "u", |
| 23 | + * and use four-digit hexadecimal. |
| 24 | + */ |
| 25 | + if (G.crec.compression_method <= 999) { |
| 26 | + sprintf( &methbuf[ 1], "%03u", G.crec.compression_method); |
| 27 | + } else { |
| 28 | + sprintf( &methbuf[ 0], "%04X", G.crec.compression_method); |
| 29 | + } |
| 30 | } |
| 31 | |
| 32 | for (k = 0; k < 15; ++k) |