search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Dash:
[t2.git] / package / archiver / unzip / CVE-2014-8141.patch
blob480c1427cf187a7df62240f8e0e2ce8ffefe669c
1 # --- T2-COPYRIGHT-NOTE-BEGIN ---
2 # T2 SDE: package/*/unzip/CVE-2014-8141.patch
3 # Copyright (C) 2021 The T2 SDE Project
4 #
5 # This Copyright note is generated by scripts/Create-CopyPatch,
6 # more information can be found in the files COPYING and README.
7 #
8 # This patch file is dual-licensed. It is available under the license the
9 # patched project is licensed under, as long as it is an OpenSource license
10 # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
11 # of the GNU General Public License version 2 as used by the T2 SDE.
12 # --- T2-COPYRIGHT-NOTE-END ---
13
14 From RedHat: https://bugzilla.redhat.com/attachment.cgi?id=969625&action=diff
15 (unzip60/ path prefix added)
16
17 --- unzip60/process.c 2009-03-06 02:25:10.000000000 +0100
18 +++ unzip60/process.c 2014-12-05 22:42:39.000000000 +0100
19 @@ -1,5 +1,5 @@
20 /*
21 - Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
22 + Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
23
24 See the accompanying file LICENSE, version 2009-Jan-02 or later
25 (the contents of which are also included in unzip.h) for terms of use.
26 @@ -1888,48 +1888,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
27 and a 4-byte version of disk start number.
28 Sets both local header and central header fields. Not terribly clever,
29 but it means that this procedure is only called in one place.
30 +
31 + 2014-12-05 SMS.
32 + Added checks to ensure that enough data are available before calling
33 + makeint64() or makelong(). Replaced various sizeof() values with
34 + simple ("4" or "8") constants. (The Zip64 structures do not depend
35 + on our variable sizes.) Error handling is crude, but we should now
36 + stay within the buffer.
37 ---------------------------------------------------------------------------*/
38
39 +#define Z64FLGS 0xffff
40 +#define Z64FLGL 0xffffffff
41 +
42 if (ef_len == 0 || ef_buf == NULL)
43 return PK_COOL;
44
45 Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
46 ef_len));
47
48 - while (ef_len >= EB_HEADSIZE) {
49 + while (ef_len >= EB_HEADSIZE)
50 + {
51 eb_id = makeword(EB_ID + ef_buf);
52 eb_len = makeword(EB_LEN + ef_buf);
53
54 - if (eb_len > (ef_len - EB_HEADSIZE)) {
55 - /* discovered some extra field inconsistency! */
56 + if (eb_len > (ef_len - EB_HEADSIZE))
57 + {
58 + /* Extra block length exceeds remaining extra field length. */
59 Trace((stderr,
60 "getZip64Data: block length %u > rest ef_size %u\n", eb_len,
61 ef_len - EB_HEADSIZE));
62 break;
63 }
64 - if (eb_id == EF_PKSZ64) {
65 -
66 + if (eb_id == EF_PKSZ64)
67 + {
68 int offset = EB_HEADSIZE;
69
70 - if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
71 - G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
72 - offset += sizeof(G.crec.ucsize);
73 + if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
74 + {
75 + if (offset+ 8 > ef_len)
76 + return PK_ERR;
77 +
78 + G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
79 + offset += 8;
80 }
81 - if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
82 - G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
83 - offset += sizeof(G.crec.csize);
84 +
85 + if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
86 + {
87 + if (offset+ 8 > ef_len)
88 + return PK_ERR;
89 +
90 + G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
91 + offset += 8;
92 }
93 - if (G.crec.relative_offset_local_header == 0xffffffff){
94 +
95 + if (G.crec.relative_offset_local_header == Z64FLGL)
96 + {
97 + if (offset+ 8 > ef_len)
98 + return PK_ERR;
99 +
100 G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
101 - offset += sizeof(G.crec.relative_offset_local_header);
102 + offset += 8;
103 }
104 - if (G.crec.disk_number_start == 0xffff){
105 +
106 + if (G.crec.disk_number_start == Z64FLGS)
107 + {
108 + if (offset+ 4 > ef_len)
109 + return PK_ERR;
110 +
111 G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
112 - offset += sizeof(G.crec.disk_number_start);
113 + offset += 4;
114 }
115 +#if 0
116 + break; /* Expect only one EF_PKSZ64 block. */
117 +#endif /* 0 */
118 }
119
120 - /* Skip this extra field block */
121 + /* Skip this extra field block. */
122 ef_buf += (eb_len + EB_HEADSIZE);
123 ef_len -= (eb_len + EB_HEADSIZE);
124 }
125 --- unzip60/fileio.c 2009-04-20 02:03:44.000000000 +0200
126 +++ unzip60/fileio.c 2014-12-05 22:44:16.000000000 +0100
127 @@ -176,6 +176,8 @@ static ZCONST char Far FilenameTooLongTr
128 #endif
129 static ZCONST char Far ExtraFieldTooLong[] =
130 "warning: extra field too long (%d). Ignoring...\n";
131 +static ZCONST char Far ExtraFieldCorrupt[] =
132 + "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
133
134 #ifdef WINDLL
135 static ZCONST char Far DiskFullQuery[] =
136 @@ -2295,7 +2297,12 @@ int do_string(__G__ length, option) /*
137 if (readbuf(__G__ (char *)G.extra_field, length) == 0)
138 return PK_EOF;
139 /* Looks like here is where extra fields are read */
140 - getZip64Data(__G__ G.extra_field, length);
141 + if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
142 + {
143 + Info(slide, 0x401, ((char *)slide,
144 + LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
145 + error = PK_WARN;
146 + }
147 #ifdef UNICODE_SUPPORT
148 G.unipath_filename = NULL;
149 if (G.UzO.U_flag < 2) {
t2sde