Patrick Williams | c124f4f | 2015-09-15 14:41:29 -0500 | [diff] [blame] | 1 | From: sms |
| 2 | Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() |
| 3 | Bug-Debian: http://bugs.debian.org/773722 |
| 4 | |
| 5 | The patch comes from unzip_6.0-8+deb7u2.debian.tar.gz |
| 6 | |
| 7 | Upstream-Status: Backport |
| 8 | |
| 9 | Signed-off-by: Roy Li <rongqing.li@windriver.com> |
| 10 | |
| 11 | |
| 12 | --- a/fileio.c |
| 13 | +++ b/fileio.c |
| 14 | @@ -176,6 +176,8 @@ |
| 15 | #endif |
| 16 | static ZCONST char Far ExtraFieldTooLong[] = |
| 17 | "warning: extra field too long (%d). Ignoring...\n"; |
| 18 | +static ZCONST char Far ExtraFieldCorrupt[] = |
| 19 | + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; |
| 20 | |
| 21 | #ifdef WINDLL |
| 22 | static ZCONST char Far DiskFullQuery[] = |
| 23 | @@ -2295,7 +2297,12 @@ |
| 24 | if (readbuf(__G__ (char *)G.extra_field, length) == 0) |
| 25 | return PK_EOF; |
| 26 | /* Looks like here is where extra fields are read */ |
| 27 | - getZip64Data(__G__ G.extra_field, length); |
| 28 | + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) |
| 29 | + { |
| 30 | + Info(slide, 0x401, ((char *)slide, |
| 31 | + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); |
| 32 | + error = PK_WARN; |
| 33 | + } |
| 34 | #ifdef UNICODE_SUPPORT |
| 35 | G.unipath_filename = NULL; |
| 36 | if (G.UzO.U_flag < 2) { |
| 37 | --- a/process.c |
| 38 | +++ b/process.c |
| 39 | @@ -1,5 +1,5 @@ |
| 40 | /* |
| 41 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. |
| 42 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. |
| 43 | |
| 44 | See the accompanying file LICENSE, version 2009-Jan-02 or later |
| 45 | (the contents of which are also included in unzip.h) for terms of use. |
| 46 | @@ -1901,48 +1901,82 @@ |
| 47 | and a 4-byte version of disk start number. |
| 48 | Sets both local header and central header fields. Not terribly clever, |
| 49 | but it means that this procedure is only called in one place. |
| 50 | + |
| 51 | + 2014-12-05 SMS. |
| 52 | + Added checks to ensure that enough data are available before calling |
| 53 | + makeint64() or makelong(). Replaced various sizeof() values with |
| 54 | + simple ("4" or "8") constants. (The Zip64 structures do not depend |
| 55 | + on our variable sizes.) Error handling is crude, but we should now |
| 56 | + stay within the buffer. |
| 57 | ---------------------------------------------------------------------------*/ |
| 58 | |
| 59 | +#define Z64FLGS 0xffff |
| 60 | +#define Z64FLGL 0xffffffff |
| 61 | + |
| 62 | if (ef_len == 0 || ef_buf == NULL) |
| 63 | return PK_COOL; |
| 64 | |
| 65 | Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", |
| 66 | ef_len)); |
| 67 | |
| 68 | - while (ef_len >= EB_HEADSIZE) { |
| 69 | + while (ef_len >= EB_HEADSIZE) |
| 70 | + { |
| 71 | eb_id = makeword(EB_ID + ef_buf); |
| 72 | eb_len = makeword(EB_LEN + ef_buf); |
| 73 | |
| 74 | - if (eb_len > (ef_len - EB_HEADSIZE)) { |
| 75 | - /* discovered some extra field inconsistency! */ |
| 76 | + if (eb_len > (ef_len - EB_HEADSIZE)) |
| 77 | + { |
| 78 | + /* Extra block length exceeds remaining extra field length. */ |
| 79 | Trace((stderr, |
| 80 | "getZip64Data: block length %u > rest ef_size %u\n", eb_len, |
| 81 | ef_len - EB_HEADSIZE)); |
| 82 | break; |
| 83 | } |
| 84 | - if (eb_id == EF_PKSZ64) { |
| 85 | - |
| 86 | + if (eb_id == EF_PKSZ64) |
| 87 | + { |
| 88 | int offset = EB_HEADSIZE; |
| 89 | |
| 90 | - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ |
| 91 | - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); |
| 92 | - offset += sizeof(G.crec.ucsize); |
| 93 | + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) |
| 94 | + { |
| 95 | + if (offset+ 8 > ef_len) |
| 96 | + return PK_ERR; |
| 97 | + |
| 98 | + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); |
| 99 | + offset += 8; |
| 100 | } |
| 101 | - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ |
| 102 | - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); |
| 103 | - offset += sizeof(G.crec.csize); |
| 104 | + |
| 105 | + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) |
| 106 | + { |
| 107 | + if (offset+ 8 > ef_len) |
| 108 | + return PK_ERR; |
| 109 | + |
| 110 | + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); |
| 111 | + offset += 8; |
| 112 | } |
| 113 | - if (G.crec.relative_offset_local_header == 0xffffffff){ |
| 114 | + |
| 115 | + if (G.crec.relative_offset_local_header == Z64FLGL) |
| 116 | + { |
| 117 | + if (offset+ 8 > ef_len) |
| 118 | + return PK_ERR; |
| 119 | + |
| 120 | G.crec.relative_offset_local_header = makeint64(offset + ef_buf); |
| 121 | - offset += sizeof(G.crec.relative_offset_local_header); |
| 122 | + offset += 8; |
| 123 | } |
| 124 | - if (G.crec.disk_number_start == 0xffff){ |
| 125 | + |
| 126 | + if (G.crec.disk_number_start == Z64FLGS) |
| 127 | + { |
| 128 | + if (offset+ 4 > ef_len) |
| 129 | + return PK_ERR; |
| 130 | + |
| 131 | G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); |
| 132 | - offset += sizeof(G.crec.disk_number_start); |
| 133 | + offset += 4; |
| 134 | } |
| 135 | +#if 0 |
| 136 | + break; /* Expect only one EF_PKSZ64 block. */ |
| 137 | +#endif /* 0 */ |
| 138 | } |
| 139 | |
| 140 | - /* Skip this extra field block */ |
| 141 | + /* Skip this extra field block. */ |
| 142 | ef_buf += (eb_len + EB_HEADSIZE); |
| 143 | ef_len -= (eb_len + EB_HEADSIZE); |
| 144 | } |