1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
|
From: mancha <mancha1 AT zoho DOT com>
Date: Wed, 11 Feb 2015
Subject: Info-ZIP UnZip buffer overflow
Bug-Debian: https://bugs.debian.org/776589
By carefully crafting a corrupt ZIP archive with "extra fields" that
purport to have compressed blocks larger than the corresponding
uncompressed blocks in STORED no-compression mode, an attacker can
trigger a heap overflow that can result in application crash or
possibly have other unspecified impact.
This patch ensures that when extra fields use STORED mode, the
"compressed" and uncompressed block sizes match.
--- a/extract.c
+++ b/extract.c
@@ -2228,6 +2228,7 @@
ulg eb_ucsize;
uch *eb_ucptr;
int r;
+ ush eb_compr_method;
if (compr_offset < 4) /* field is not compressed: */
return PK_OK; /* do nothing and signal OK */
@@ -2244,6 +2245,15 @@
((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
return IZ_EF_TRUNC; /* no/bad compressed data! */
+ /* 2015-02-10 Mancha(?), Michal Zalewski, Tomas Hoger, SMS.
+ * For STORE method, compressed and uncompressed sizes must agree.
+ * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+ */
+ eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
+ if ((eb_compr_method == STORED) &&
+ (eb_size != compr_offset + EB_CMPRHEADLEN + eb_ucsize))
+ return PK_ERR;
+
if (
#ifdef INT_16BIT
(((ulg)(extent)eb_ucsize) != eb_ucsize) ||
|
