summary refs log tree commit diff
path: root/gnu/packages/patches/zziplib-CVE-2017-5976.patch
blob: 17fc30e302cb95fcb78f3e085a72b98d3c86dda5 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
Fix CVE-2017-5976:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976

Patch copied from Debian.

Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
         {
             void *mem = malloc(ext1 + 2);
             item->zz_ext[1] = mem;
+	    item->zz_extlen[1] = ext1 + 2;
             memcpy(mem, ptr1, ext1);
             ((char *) (mem))[ext1 + 0] = 0;
             ((char *) (mem))[ext1 + 1] = 0;
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
         {
             void *mem = malloc(ext2 + 2);
             item->zz_ext[2] = mem;
+	    item->zz_extlen[2] = ext2 + 2;
             memcpy(mem, ptr2, ext2);
             ((char *) (mem))[ext2 + 0] = 0;
             ((char *) (mem))[ext2 + 1] = 0;
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
     while (1)
     {
         ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
-        if (ext)
+        if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
         {
+	    char *endblock = (char *)ext + entry->zz_extlen[i];
+
             while (*(short *) (ext->z_datatype))
             {
                 if (datatype == zzip_extra_block_get_datatype(ext))
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
                 e += zzip_extra_block_headerlength;
                 e += zzip_extra_block_get_datasize(ext);
                 ext = (void *) e;
+		if (e >= endblock)
+		{
+		    break;
+		}
                 ____;
             }
         }
Index: zziplib-0.13.62/zzip/memdisk.h
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.h
+++ zziplib-0.13.62/zzip/memdisk.h
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
     int              zz_filetype;  /* (from "z_filetype") */
     char*            zz_comment;   /* zero-terminated (from "comment") */
     ZZIP_EXTRA_BLOCK* zz_ext[3];   /* terminated by null in z_datatype */
+    int              zz_extlen[3]; /* length of zz_ext[i] in bytes */
 };                                 /* the extra blocks are NOT converted */
 
 #define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)