Commit | Line | Data |
---|---|---|
e5da2f38 MW |
1 | From: sms |
2 | Subject: Fix CVE-2014-8141: out-of-bounds read issues in getZip64Data() | |
3 | Bug-Debian: http://bugs.debian.org/773722 | |
4 | ||
5 | --- a/fileio.c | |
6 | +++ b/fileio.c | |
7 | @@ -176,6 +176,8 @@ | |
8 | #endif | |
9 | static ZCONST char Far ExtraFieldTooLong[] = | |
10 | "warning: extra field too long (%d). Ignoring...\n"; | |
11 | +static ZCONST char Far ExtraFieldCorrupt[] = | |
12 | + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n"; | |
13 | ||
14 | #ifdef WINDLL | |
15 | static ZCONST char Far DiskFullQuery[] = | |
16 | @@ -2295,7 +2297,12 @@ | |
17 | if (readbuf(__G__ (char *)G.extra_field, length) == 0) | |
18 | return PK_EOF; | |
19 | /* Looks like here is where extra fields are read */ | |
20 | - getZip64Data(__G__ G.extra_field, length); | |
21 | + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL) | |
22 | + { | |
23 | + Info(slide, 0x401, ((char *)slide, | |
24 | + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64)); | |
25 | + error = PK_WARN; | |
26 | + } | |
27 | #ifdef UNICODE_SUPPORT | |
28 | G.unipath_filename = NULL; | |
29 | if (G.UzO.U_flag < 2) { | |
30 | --- a/process.c | |
31 | +++ b/process.c | |
32 | @@ -1,5 +1,5 @@ | |
33 | /* | |
34 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | |
35 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. | |
36 | ||
37 | See the accompanying file LICENSE, version 2009-Jan-02 or later | |
38 | (the contents of which are also included in unzip.h) for terms of use. | |
39 | @@ -1901,48 +1901,82 @@ | |
40 | and a 4-byte version of disk start number. | |
41 | Sets both local header and central header fields. Not terribly clever, | |
42 | but it means that this procedure is only called in one place. | |
43 | + | |
44 | + 2014-12-05 SMS. | |
45 | + Added checks to ensure that enough data are available before calling | |
46 | + makeint64() or makelong(). Replaced various sizeof() values with | |
47 | + simple ("4" or "8") constants. (The Zip64 structures do not depend | |
48 | + on our variable sizes.) Error handling is crude, but we should now | |
49 | + stay within the buffer. | |
50 | ---------------------------------------------------------------------------*/ | |
51 | ||
52 | +#define Z64FLGS 0xffff | |
53 | +#define Z64FLGL 0xffffffff | |
54 | + | |
55 | if (ef_len == 0 || ef_buf == NULL) | |
56 | return PK_COOL; | |
57 | ||
58 | Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n", | |
59 | ef_len)); | |
60 | ||
61 | - while (ef_len >= EB_HEADSIZE) { | |
62 | + while (ef_len >= EB_HEADSIZE) | |
63 | + { | |
64 | eb_id = makeword(EB_ID + ef_buf); | |
65 | eb_len = makeword(EB_LEN + ef_buf); | |
66 | ||
67 | - if (eb_len > (ef_len - EB_HEADSIZE)) { | |
68 | - /* discovered some extra field inconsistency! */ | |
69 | + if (eb_len > (ef_len - EB_HEADSIZE)) | |
70 | + { | |
71 | + /* Extra block length exceeds remaining extra field length. */ | |
72 | Trace((stderr, | |
73 | "getZip64Data: block length %u > rest ef_size %u\n", eb_len, | |
74 | ef_len - EB_HEADSIZE)); | |
75 | break; | |
76 | } | |
77 | - if (eb_id == EF_PKSZ64) { | |
78 | - | |
79 | + if (eb_id == EF_PKSZ64) | |
80 | + { | |
81 | int offset = EB_HEADSIZE; | |
82 | ||
83 | - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){ | |
84 | - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf); | |
85 | - offset += sizeof(G.crec.ucsize); | |
86 | + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL)) | |
87 | + { | |
88 | + if (offset+ 8 > ef_len) | |
89 | + return PK_ERR; | |
90 | + | |
91 | + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf); | |
92 | + offset += 8; | |
93 | } | |
94 | - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){ | |
95 | - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf); | |
96 | - offset += sizeof(G.crec.csize); | |
97 | + | |
98 | + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL)) | |
99 | + { | |
100 | + if (offset+ 8 > ef_len) | |
101 | + return PK_ERR; | |
102 | + | |
103 | + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf); | |
104 | + offset += 8; | |
105 | } | |
106 | - if (G.crec.relative_offset_local_header == 0xffffffff){ | |
107 | + | |
108 | + if (G.crec.relative_offset_local_header == Z64FLGL) | |
109 | + { | |
110 | + if (offset+ 8 > ef_len) | |
111 | + return PK_ERR; | |
112 | + | |
113 | G.crec.relative_offset_local_header = makeint64(offset + ef_buf); | |
114 | - offset += sizeof(G.crec.relative_offset_local_header); | |
115 | + offset += 8; | |
116 | } | |
117 | - if (G.crec.disk_number_start == 0xffff){ | |
118 | + | |
119 | + if (G.crec.disk_number_start == Z64FLGS) | |
120 | + { | |
121 | + if (offset+ 4 > ef_len) | |
122 | + return PK_ERR; | |
123 | + | |
124 | G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf); | |
125 | - offset += sizeof(G.crec.disk_number_start); | |
126 | + offset += 4; | |
127 | } | |
128 | +#if 0 | |
129 | + break; /* Expect only one EF_PKSZ64 block. */ | |
130 | +#endif /* 0 */ | |
131 | } | |
132 | ||
133 | - /* Skip this extra field block */ | |
134 | + /* Skip this extra field block. */ | |
135 | ef_buf += (eb_len + EB_HEADSIZE); | |
136 | ef_len -= (eb_len + EB_HEADSIZE); | |
137 | } |