1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
|
From: Luciano Bello <luciano@debian.org>
Subject: Check whether size fields in a ZIP entry are negative numbers.
Origin: upstream, http://git.ghostscript.com/?p=mupdf.git;h=0f0fbc07d9be31f5e83ec5328d7311fdfd8328b1
Bug-Debian: https://bugs.debian.org/877379
X-CVE: CVE-2017-14686
Index: mupdf-1.9a+ds1/source/fitz/unzip.c
===================================================================
--- mupdf-1.9a+ds1.orig/source/fitz/unzip.c
+++ mupdf-1.9a+ds1/source/fitz/unzip.c
@@ -170,6 +170,9 @@ static void read_zip_dir_imp(fz_context
(void) fz_read_int32_le(ctx, file); /* ext file atts */
zip->table[i].offset = fz_read_int32_le(ctx, file);
+ if (namesize < 0 || metasize < 0 || commentsize < 0)
+ fz_throw(ctx, FZ_ERROR_GENERIC, "invalid size in zip entry");
+
zip->table[i].name = fz_malloc(ctx, namesize + 1);
fz_read(ctx, file, (unsigned char*)zip->table[i].name, namesize);
zip->table[i].name[namesize] = 0;
|