Patrick Williams | de0582f | 2022-04-08 10:23:27 -0500 | [diff] [blame] | 1 | From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001 |
| 2 | From: Nils Bars <nils.bars@t-online.de> |
| 3 | Date: Mon, 17 Jan 2022 16:53:16 +0000 |
| 4 | Subject: [PATCH] Fix null pointer dereference and use of uninitialized data |
| 5 | |
| 6 | This fixes a bug that causes use of uninitialized heap data if `readbuf` fails |
| 7 | to read as many bytes as indicated by the extra field length attribute. |
| 8 | Furthermore, this fixes a null pointer dereference if an archive contains an |
| 9 | `EF_UNIPATH` extra field but does not have a filename set. |
| 10 | --- |
| 11 | fileio.c | 5 ++++- |
| 12 | process.c | 6 +++++- |
| 13 | 2 files changed, 9 insertions(+), 2 deletions(-) |
| 14 | --- |
| 15 | |
| 16 | Patch from: |
| 17 | https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077 |
| 18 | https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch |
| 19 | Regenerated to apply without offsets. |
| 20 | |
| 21 | CVE: CVE-2021-4217 |
| 22 | |
Andrew Geissler | 78b7279 | 2022-06-14 06:47:25 -0500 | [diff] [blame^] | 23 | Upstream-Status: Inactive-Upstream [infozip upstream inactive] |
Patrick Williams | de0582f | 2022-04-08 10:23:27 -0500 | [diff] [blame] | 24 | |
| 25 | Signed-off-by: Joe Slater <joe.slater@windriver.com> |
| 26 | |
| 27 | |
| 28 | diff --git a/fileio.c b/fileio.c |
| 29 | index 14460f3..1dc319e 100644 |
| 30 | --- a/fileio.c |
| 31 | +++ b/fileio.c |
| 32 | @@ -2301,8 +2301,11 @@ int do_string(__G__ length, option) /* return PK-type error code */ |
| 33 | seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes + |
| 34 | (G.inptr-G.inbuf) + length); |
| 35 | } else { |
| 36 | - if (readbuf(__G__ (char *)G.extra_field, length) == 0) |
| 37 | + unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length); |
| 38 | + if (bytes_read == 0) |
| 39 | return PK_EOF; |
| 40 | + if (bytes_read != length) |
| 41 | + return PK_ERR; |
| 42 | /* Looks like here is where extra fields are read */ |
| 43 | if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) |
| 44 | { |
| 45 | diff --git a/process.c b/process.c |
| 46 | index 5f8f6c6..de843a5 100644 |
| 47 | --- a/process.c |
| 48 | +++ b/process.c |
| 49 | @@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len) |
| 50 | G.unipath_checksum = makelong(offset + ef_buf); |
| 51 | offset += 4; |
| 52 | |
| 53 | + if (!G.filename_full) { |
| 54 | + /* Check if we have a unicode extra section but no filename set */ |
| 55 | + return PK_ERR; |
| 56 | + } |
| 57 | + |
| 58 | /* |
| 59 | * Compute 32-bit crc |
| 60 | */ |
| 61 | - |
| 62 | chksum = crc32(chksum, (uch *)(G.filename_full), |
| 63 | strlen(G.filename_full)); |
| 64 | |
| 65 | -- |
| 66 | 2.32.0 |
| 67 | |