gnu/packages/patches/zziplib-CVE-2018-16548.patch

   1 The following 3 patches applied to 0.13.69 in this order, combined:
   2 https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb.patch
   3 https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687.patch
   4 https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99.patch
   5
   6 diff --git a/test/test.zip b/test/test.zip
   7 index 2c992ea..952d475 100644
   8 Binary files a/test/test.zip and b/test/test.zip differ
   9 diff --git a/zzip/zip.c b/zzip/zip.c
  10 index 14e2e06..f97a40a 100644
  11 --- a/zzip/zip.c
  12 +++ b/zzip/zip.c
  13 @@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd,
  14          } else
  15          {
  16              if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
  17 +           {
  18 +               free(hdr0);
  19                  return ZZIP_DIR_SEEK;
  20 +           }
  21              if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
  22 +           {
  23 +               free(hdr0);
  24                  return ZZIP_DIR_READ;
  25 +           }
  26              d = &dirent;
  27          }
  28
  29 @@ -574,11 +580,18 @@ __zzip_parse_root_directory(int fd,
  30
  31          if (hdr_return)
  32              *hdr_return = hdr0;
  33 +       else
  34 +       {
  35 +           /* If it is not assigned to *hdr_return, it will never be free()'d */
  36 +           free(hdr0);
  37 +       }
  38      }                           /* else zero (sane) entries */
  39 +    else
  40 +        free(hdr0);
  41  #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
  42 -    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
  43 +    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
  44  #  else
  45 -    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
  46 +    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
  47  #  endif
  48  }
  49