summary refs log tree commit diff
path: root/gnu/packages/patches/zziplib-CVE-2017-5978.patch
blob: 452b14f80439ca0dd66d4dd60ce102da0cb48d87 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
Fix CVE-2017-5978:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5978

Patch copied from Debian.

Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -180,7 +180,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
      *  that exists in the other, ... but we will prefer the disk entry.
      */
     item->zz_comment = zzip_disk_entry_strdup_comment(disk, entry);
-    item->zz_name = zzip_disk_entry_strdup_name(disk, entry);
+    item->zz_name = zzip_disk_entry_strdup_name(disk, entry) ?: strdup("");
     item->zz_data = zzip_file_header_to_data(header);
     item->zz_flags = zzip_disk_entry_get_flags(entry);
     item->zz_compr = zzip_disk_entry_get_compr(entry);
@@ -197,7 +197,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
         int /*            */ ext2 = zzip_file_header_get_extras(header);
         char *_zzip_restrict ptr2 = zzip_file_header_to_extras(header);
 
-        if (ext1)
+        if (ext1 && ((ptr1 + ext1) < disk->endbuf))
         {
             void *mem = malloc(ext1 + 2);
             item->zz_ext[1] = mem;
@@ -206,7 +206,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
             ((char *) (mem))[ext1 + 0] = 0;
             ((char *) (mem))[ext1 + 1] = 0;
         }
-        if (ext2)
+        if (ext2 && ((ptr2 + ext2) < disk->endbuf))
         {
             void *mem = malloc(ext2 + 2);
             item->zz_ext[2] = mem;