Package: unzip / 6.0-26

20-cve-2018-1000035-unzip-buffer-overflow.patch Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
From: Karol Babioch <kbabioch@suse.com>
Subject: Fix buffer overflow in password protected zip archives
Bug-Debian: https://bugs.debian.org/889838
Origin: https://bugzilla.novell.com/attachment.cgi?id=759406
X-Debian-version: 6.0-22

--- a/fileio.c
+++ b/fileio.c
@@ -1582,6 +1582,10 @@
     int r = IZ_PW_ENTERED;
     char *m;
     char *prompt;
+    char *zfnf;
+    char *efnf;
+    size_t zfnfl;
+    int isOverflow;
 
 #ifndef REENTRANT
     /* tell picky compilers to shut up about "unused variable" warnings */
@@ -1590,7 +1594,15 @@
 
     if (*rcnt == 0) {           /* First call for current entry */
         *rcnt = 2;
-        if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
+        zfnf = FnFilter1(zfn);
+        efnf = FnFilter2(efn);
+        zfnfl = strlen(zfnf);
+        isOverflow = TRUE;
+        if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
+        {
+		isOverflow = FALSE;
+        }
+        if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
             sprintf(prompt, LoadFarString(PasswPrompt),
                     FnFilter1(zfn), FnFilter2(efn));
             m = prompt;