Commit | Line | Data |
---|---|---|
e5da2f38 MW |
1 | From: sms |
2 | Subject: Fix CVE-2014-8139: CRC32 verification heap-based overflow | |
3 | Bug-Debian: http://bugs.debian.org/773722 | |
4 | ||
5 | --- a/extract.c | |
6 | +++ b/extract.c | |
7 | @@ -1,5 +1,5 @@ | |
8 | /* | |
9 | - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. | |
10 | + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. | |
11 | ||
12 | See the accompanying file LICENSE, version 2009-Jan-02 or later | |
13 | (the contents of which are also included in unzip.h) for terms of use. | |
14 | @@ -298,6 +298,8 @@ | |
15 | #ifndef SFX | |
16 | static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ | |
17 | EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; | |
18 | + static ZCONST char Far TooSmallEFlength[] = "bad extra-field entry:\n \ | |
19 | + EF block length (%u bytes) invalid (< %d)\n"; | |
20 | static ZCONST char Far InvalidComprDataEAs[] = | |
21 | " invalid compressed data for EAs\n"; | |
22 | # if (defined(WIN32) && defined(NTSD_EAS)) | |
23 | @@ -2023,7 +2025,8 @@ | |
24 | ebID = makeword(ef); | |
25 | ebLen = (unsigned)makeword(ef+EB_LEN); | |
26 | ||
27 | - if (ebLen > (ef_len - EB_HEADSIZE)) { | |
28 | + if (ebLen > (ef_len - EB_HEADSIZE)) | |
29 | + { | |
30 | /* Discovered some extra field inconsistency! */ | |
31 | if (uO.qflag) | |
32 | Info(slide, 1, ((char *)slide, "%-22s ", | |
33 | @@ -2032,6 +2035,16 @@ | |
34 | ebLen, (ef_len - EB_HEADSIZE))); | |
35 | return PK_ERR; | |
36 | } | |
37 | + else if (ebLen < EB_HEADSIZE) | |
38 | + { | |
39 | + /* Extra block length smaller than header length. */ | |
40 | + if (uO.qflag) | |
41 | + Info(slide, 1, ((char *)slide, "%-22s ", | |
42 | + FnFilter1(G.filename))); | |
43 | + Info(slide, 1, ((char *)slide, LoadFarString(TooSmallEFlength), | |
44 | + ebLen, EB_HEADSIZE)); | |
45 | + return PK_ERR; | |
46 | + } | |
47 | ||
48 | switch (ebID) { | |
49 | case EF_OS2: |