| blob | fcd3263356d1657de54be256df1f08cd6671636c |
1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
2 # T2 SDE: package/*/unzip/unzip-6.0-heap-overflow-infloop.patch
3 # Copyright (C) 2021 The T2 SDE Project
4 #
5 # This Copyright note is generated by scripts/Create-CopyPatch,
6 # more information can be found in the files COPYING and README.
7 #
8 # This patch file is dual-licensed. It is available under the license the
9 # patched project is licensed under, as long as it is an OpenSource license
10 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
11 # of the GNU General Public License version 2 as used by the T2 SDE.
12 # --- T2-COPYRIGHT-NOTE-END ---
14 From bdd4a0cecd745cb4825e4508b5bdf2579731086a Mon Sep 17 00:00:00 2001
15 From: Petr Stodulka <pstodulk@redhat.com>
16 Date: Mon, 14 Sep 2015 18:23:17 +0200
17 Subject: [PATCH 1/3] upstream fix for heap overflow
19 https://bugzilla.redhat.com/attachment.cgi?id=1073002
20 ---
21 crypt.c | 12 +++++++++++-
22 1 file changed, 11 insertions(+), 1 deletion(-)
24 diff --git a/crypt.c b/crypt.c
25 index 784e411..a8975f2 100644
26 --- a/crypt.c
27 +++ b/crypt.c
28 @@ -465,7 +465,17 @@ int decrypt(__G__ passwrd)
29 GLOBAL(pInfo->encrypted) = FALSE;
30 defer_leftover_input(__G);
31 for (n = 0; n < RAND_HEAD_LEN; n++) {
32 - b = NEXTBYTE;
33 + /* 2012-11-23 SMS. (OUSPG report.)
34 + * Quit early if compressed size < HEAD_LEN. The resulting
35 + * error message ("unable to get password") could be improved,
36 + * but it's better than trying to read nonexistent data, and
37 + * then continuing with a negative G.csize. (See
38 + * fileio.c:readbyte()).
39 + */
40 + if ((b = NEXTBYTE) == (ush)EOF)
41 + {
42 + return PK_ERR;
43 + }
44 h[n] = (uch)b;
45 Trace((stdout, " (%02x)", h[n]));
46 }
47 --
48 2.4.6
51 From 4b48844661ff9569f2ecf582a387d46a5775b5d8 Mon Sep 17 00:00:00 2001
52 From: Kamil Dudka <kdudka@redhat.com>
53 Date: Mon, 14 Sep 2015 18:24:56 +0200
54 Subject: [PATCH 2/3] fix infinite loop when extracting empty bzip2 data
56 Bug: https://sourceforge.net/p/infozip/patches/23/
57 ---
58 extract.c | 6 ++++++
59 1 file changed, 6 insertions(+)
61 diff --git a/extract.c b/extract.c
62 index 7134bfe..29db027 100644
63 --- a/extract.c
64 +++ b/extract.c
65 @@ -2733,6 +2733,12 @@ __GDEF
66 int repeated_buf_err;
67 bz_stream bstrm;
69 + if (G.incnt <= 0 && G.csize <= 0L) {
70 + /* avoid an infinite loop */
71 + Trace((stderr, "UZbunzip2() got empty input\n"));
72 + return 2;
73 + }
74 +
75 #if (defined(DLL) && !defined(NO_SLIDE_REDIR))
76 if (G.redirect_slide)
77 wsize = G.redirect_size, redirSlide = G.redirect_buffer;
78 --
79 2.4.6
82 From bd150334fb4084f5555a6be26b015a0671cb5b74 Mon Sep 17 00:00:00 2001
83 From: Kamil Dudka <kdudka@redhat.com>
84 Date: Tue, 22 Sep 2015 18:52:23 +0200
85 Subject: [PATCH 3/3] extract: prevent unsigned overflow on invalid input
87 Suggested-by: Stefan Cornelius
88 ---
89 extract.c | 11 ++++++++++-
90 1 file changed, 10 insertions(+), 1 deletion(-)
92 diff --git a/extract.c b/extract.c
93 index 29db027..b9ae667 100644
94 --- a/extract.c
95 +++ b/extract.c
96 @@ -1257,8 +1257,17 @@ static int extract_or_test_entrylist(__G__ numchunk,
97 if (G.lrec.compression_method == STORED) {
98 zusz_t csiz_decrypted = G.lrec.csize;
100 - if (G.pInfo->encrypted)
101 + if (G.pInfo->encrypted) {
102 + if (csiz_decrypted < 12) {
103 + /* handle the error now to prevent unsigned overflow */
104 + Info(slide, 0x401, ((char *)slide,
105 + LoadFarStringSmall(ErrUnzipNoFile),
106 + LoadFarString(InvalidComprData),
107 + LoadFarStringSmall2(Inflate)));
108 + return PK_ERR;
109 + }
110 csiz_decrypted -= 12;
111 + }
112 if (G.lrec.ucsize != csiz_decrypted) {
113 Info(slide, 0x401, ((char *)slide,
114 LoadFarStringSmall2(WrnStorUCSizCSizDiff),
115 --
116 2.5.2