Attachment 475068 Details for Bug 620470 – cve-2014-9636.patch

[patch] cve-2014-9636.patch

cve-2014-9636.patch (text/plain), 1.56 KB, created by Andrey Ovcharov on 2017-06-03 05:28:29 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrey Ovcharov

Created: 2017-06-03 05:28:29 UTC

Size: 1.56 KB

patch

obsolete

>From 190040ebfcf5395a6ccedede2cc9343d34f0a108 Mon Sep 17 00:00:00 2001
>From: mancha <mancha1 AT zoho DOT com>
>Date: Wed, 11 Feb 2015
>Subject: Info-ZIP UnZip buffer overflow
>
>Upstream-Status: Backport
>CVE: CVE-2014-9636
>
>By carefully crafting a corrupt ZIP archive with "extra fields" that
>purport to have compressed blocks larger than the corresponding
>uncompressed blocks in STORED no-compression mode, an attacker can
>trigger a heap overflow that can result in application crash or
>possibly have other unspecified impact.
>
>This patch ensures that when extra fields use STORED mode, the
>"compressed" and uncompressed block sizes match.
>
>Signed-off-by: mancha <mancha1 AT zoho DOT com>
>---
> extract.c |    8 ++++++++
> 1 file changed, 8 insertions(+)
>
>--- a/extract.c
>+++ b/extract.c
>@@ -2217,6 +2217,7 @@ static int test_compr_eb(__G__ eb, eb_si
>     ulg eb_ucsize;
>     uch *eb_ucptr;
>     int r;
>+    ush method;
> 
>     if (compr_offset < 4)                /* field is not compressed: */
>         return PK_OK;                    /* do nothing and signal OK */
>@@ -2226,6 +2227,13 @@ static int test_compr_eb(__G__ eb, eb_si
>          eb_size <= (compr_offset + EB_CMPRHEADLEN)))
>         return IZ_EF_TRUNC;               /* no compressed data! */
> 
>+    method = makeword(eb + (EB_HEADSIZE + compr_offset));
>+    if ((method == STORED) &&
>+        (eb_size - compr_offset - EB_CMPRHEADLEN != eb_ucsize))
>+	return PK_ERR;			  /* compressed & uncompressed
>+					   * should match in STORED
>+					   * method */
>+
>     if (
> #ifdef INT_16BIT
>         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||

Actions: View | Diff

Attachments on bug 620470: 475062 | 475064 | 475066 | 475068