summary refs log tree commit diff
path: root/gnu/packages/patches/zziplib-CVE-2018-16548.patch
blob: a17c6a9768793246f2ea4895fd24db33476dc63d (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
The following 3 patches applied to 0.13.69 in this order, combined:
https://github.com/gdraheim/zziplib/commit/9411bde3e4a70a81ff3ffd256b71927b2d90dcbb.patch
https://github.com/gdraheim/zziplib/commit/d2e5d5c53212e54a97ad64b793a4389193fec687.patch
https://github.com/gdraheim/zziplib/commit/0e1dadb05c1473b9df2d7b8f298dab801778ef99.patch

diff --git a/test/test.zip b/test/test.zip
index 2c992ea..952d475 100644
Binary files a/test/test.zip and b/test/test.zip differ
diff --git a/zzip/zip.c b/zzip/zip.c
index 14e2e06..f97a40a 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -472,9 +472,15 @@ __zzip_parse_root_directory(int fd,
         } else
         {
             if (io->fd.seeks(fd, zz_rootseek + zz_offset, SEEK_SET) < 0)
+	    {
+	    	free(hdr0);
                 return ZZIP_DIR_SEEK;
+	    }
             if (io->fd.read(fd, &dirent, sizeof(dirent)) < __sizeof(dirent))
+	    {
+	    	free(hdr0);
                 return ZZIP_DIR_READ;
+	    }
             d = &dirent;
         }
 
@@ -574,11 +580,18 @@ __zzip_parse_root_directory(int fd,
 
         if (hdr_return)
             *hdr_return = hdr0;
+	else
+	{
+	    /* If it is not assigned to *hdr_return, it will never be free()'d */
+	    free(hdr0);
+	}
     }                           /* else zero (sane) entries */
+    else
+        free(hdr0);
 #  ifndef ZZIP_ALLOW_MODULO_ENTRIES
-    return (entries != zz_entries ? ZZIP_CORRUPTED : 0);
+    return (entries != zz_entries) ? ZZIP_CORRUPTED : 0;
 #  else
-    return ((entries & (unsigned)0xFFFF) != zz_entries ? ZZIP_CORRUPTED : 0);
+    return ((entries & (unsigned)0xFFFF) != zz_entries) ? ZZIP_CORRUPTED : 0;
 #  endif
 }