001-CVE-2014-8139-crc-overflow.patch 1.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849
  1. --- a/extract.c
  2. +++ b/extract.c
  3. @@ -1,5 +1,5 @@
  4. /*
  5. - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
  6. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
  7. See the accompanying file LICENSE, version 2009-Jan-02 or later
  8. (the contents of which are also included in unzip.h) for terms of use.
  9. @@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] =
  10. #ifndef SFX
  11. static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \
  12. EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n";
  13. + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \
  14. + EF block length (%u bytes) invalid (< %d)\n";
  15. static ZCONST char Far InvalidComprDataEAs[] =
  16. " invalid compressed data for EAs\n";
  17. # if (defined(WIN32) && defined(NTSD_EAS))
  18. @@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_l
  19. ebID = makeword(ef);
  20. ebLen = (unsigned)makeword(ef+EB_LEN);
  21. - if (ebLen > (ef_len - EB_HEADSIZE)) {
  22. + if (ebLen > (ef_len - EB_HEADSIZE))
  23. + {
  24. /* Discovered some extra field inconsistency! */
  25. if (uO.qflag)
  26. Info(slide, 1, ((char *)slide, "%-22s ",
  27. @@ -2158,11 +2161,19 @@ static int TestExtraField(__G__ ef, ef_l
  28. }
  29. break;
  30. case EF_PKVMS:
  31. - if (makelong(ef+EB_HEADSIZE) !=
  32. + if (ebLen < 4)
  33. + {
  34. + Info(slide, 1,
  35. + ((char *)slide, LoadFarString(TooSmallEBlength),
  36. + ebLen, 4));
  37. + }
  38. + else if (makelong(ef+EB_HEADSIZE) !=
  39. crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4),
  40. (extent)(ebLen-4)))
  41. + {
  42. Info(slide, 1, ((char *)slide,
  43. LoadFarString(BadCRC_EAs)));
  44. + }
  45. break;
  46. case EF_PKW32:
  47. case EF_PKUNIX: