Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001 |
| 2 | From: mancha <mancha1 AT zoho DOT com> |
| 3 | Date: Wed, 11 Feb 2015 |
| 4 | Subject: Info-ZIP UnZip buffer overflow |
| 5 | |
| 6 | Upstream-Status: Backport |
| 7 | |
| 8 | By carefully crafting a corrupt ZIP archive with "extra fields" that |
| 9 | purport to have compressed blocks larger than the corresponding |
| 10 | uncompressed blocks in STORED no-compression mode, an attacker can |
| 11 | trigger a heap overflow that can result in application crash or |
| 12 | possibly have other unspecified impact. |
| 13 | |
| 14 | This patch ensures that when extra fields use STORED mode, the |
| 15 | "compressed" and uncompressed block sizes match. |
| 16 | |
| 17 | Signed-off-by: mancha <mancha1 AT zoho DOT com> |
| 18 | --- |
| 19 | extract.c | 8 ++++++++ |
| 20 | 1 file changed, 8 insertions(+) |
| 21 | |
| 22 | --- a/extract.c |
| 23 | +++ b/extract.c |
| 24 | @@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si |
| 25 | ulg eb_ucsize; |
| 26 | uch *eb_ucptr; |
| 27 | int r; |
| 28 | + ush method; |
| 29 | |
| 30 | if (compr_offset < 4) /* field is not compressed: */ |
| 31 | return PK_OK; /* do nothing and signal OK */ |
| 32 | @@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si |
| 33 | eb_size <= (compr_offset + EB_CMPRHEADLEN))) |
| 34 | return IZ_EF_TRUNC; /* no compressed data! */ |
| 35 | |
| 36 | + method = makeword(eb + (EB_HEADSIZE + compr_offset)); |
| 37 | + if ((method == STORED) && |
| 38 | + (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize)) |
| 39 | + return PK_ERR; /* compressed & uncompressed |
| 40 | + * should match in STORED |
| 41 | + * method */ |
| 42 | + |
| 43 | if ( |
| 44 | #ifdef INT_16BIT |
| 45 | (((ulg)(extent)eb_ucsize) != eb_ucsize) || |