182 lines
6.7 KiB
Diff
182 lines
6.7 KiB
Diff
From 3e74a01aec1ab48c3848ac50fc2f8ed8b177b400 Mon Sep 17 00:00:00 2001
|
|
From: Thorsten Behrens <tbehrens@suse.com>
|
|
Date: Sat, 20 Dec 2014 01:56:42 +0100
|
|
Subject: [PATCH] Fix CVE-2014-8140 and CVE-2014-8141
|
|
|
|
CVE-2014-8140 unzip: write error (*_8349_*) shows a problem in
|
|
extract.c:test_compr_eb()
|
|
|
|
CVE-2014-8141 unzip: read errors (*_6430_*, *_3422_*) show problems in
|
|
process.c:getZip64Data()
|
|
---
|
|
extract.c | 13 +++++++++---
|
|
fileio.c | 9 ++++++++-
|
|
process.c | 68 +++++++++++++++++++++++++++++++++++++++++++++++----------------
|
|
3 files changed, 69 insertions(+), 21 deletions(-)
|
|
|
|
diff --git a/extract.c b/extract.c
|
|
index 78f637e..5d27e4b 100644
|
|
--- a/extract.c
|
|
+++ b/extract.c
|
|
@@ -2234,10 +2234,17 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
|
|
if (compr_offset < 4) /* field is not compressed: */
|
|
return PK_OK; /* do nothing and signal OK */
|
|
|
|
+ /* Return no/bad-data error status if any problem is found:
|
|
+ * 1. eb_size is too small to hold the uncompressed size
|
|
+ * (eb_ucsize). (Else extract eb_ucsize.)
|
|
+ * 2. eb_ucsize is zero (invalid). 2014-12-04 SMS.
|
|
+ * 3. eb_ucsize is positive, but eb_size is too small to hold
|
|
+ * the compressed data header.
|
|
+ */
|
|
if ((eb_size < (EB_UCSIZE_P + 4)) ||
|
|
- ((eb_ucsize = makelong(eb+(EB_HEADSIZE+EB_UCSIZE_P))) > 0L &&
|
|
- eb_size <= (compr_offset + EB_CMPRHEADLEN)))
|
|
- return IZ_EF_TRUNC; /* no compressed data! */
|
|
+ ((eb_ucsize = makelong( eb+ (EB_HEADSIZE+ EB_UCSIZE_P))) == 0L) ||
|
|
+ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
|
|
+ return IZ_EF_TRUNC; /* no/bad compressed data! */
|
|
|
|
if (
|
|
#ifdef INT_16BIT
|
|
diff --git a/fileio.c b/fileio.c
|
|
index a381855..de93728 100644
|
|
--- a/fileio.c
|
|
+++ b/fileio.c
|
|
@@ -181,6 +181,8 @@ static ZCONST char Far FilenameTooLongTrunc[] =
|
|
#endif
|
|
static ZCONST char Far ExtraFieldTooLong[] =
|
|
"warning: extra field too long (%d). Ignoring...\n";
|
|
+static ZCONST char Far ExtraFieldCorrupt[] =
|
|
+ "warning: extra field (type: 0x%04x) corrupt. Continuing...\n";
|
|
|
|
#ifdef WINDLL
|
|
static ZCONST char Far DiskFullQuery[] =
|
|
@@ -2326,7 +2328,12 @@ int do_string(__G__ length, option) /* return PK-type error code */
|
|
if (readbuf(__G__ (char *)G.extra_field, length) == 0)
|
|
return PK_EOF;
|
|
/* Looks like here is where extra fields are read */
|
|
- getZip64Data(__G__ G.extra_field, length);
|
|
+ if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
|
|
+ {
|
|
+ Info(slide, 0x401, ((char *)slide,
|
|
+ LoadFarString( ExtraFieldCorrupt), EF_PKSZ64));
|
|
+ error = PK_WARN;
|
|
+ }
|
|
#ifdef UNICODE_SUPPORT
|
|
G.unipath_filename = NULL;
|
|
if (G.UzO.U_flag < 2) {
|
|
diff --git a/process.c b/process.c
|
|
index f1b7602..828c8aa 100644
|
|
--- a/process.c
|
|
+++ b/process.c
|
|
@@ -1,5 +1,5 @@
|
|
/*
|
|
- Copyright (c) 1990-2009 Info-ZIP. All rights reserved.
|
|
+ Copyright (c) 1990-2014 Info-ZIP. All rights reserved.
|
|
|
|
See the accompanying file LICENSE, version 2009-Jan-02 or later
|
|
(the contents of which are also included in unzip.h) for terms of use.
|
|
@@ -1901,48 +1901,82 @@ int getZip64Data(__G__ ef_buf, ef_len)
|
|
and a 4-byte version of disk start number.
|
|
Sets both local header and central header fields. Not terribly clever,
|
|
but it means that this procedure is only called in one place.
|
|
+
|
|
+ 2014-12-05 SMS.
|
|
+ Added checks to ensure that enough data are available before calling
|
|
+ makeint64() or makelong(). Replaced various sizeof() values with
|
|
+ simple ("4" or "8") constants. (The Zip64 structures do not depend
|
|
+ on our variable sizes.) Error handling is crude, but we should now
|
|
+ stay within the buffer.
|
|
---------------------------------------------------------------------------*/
|
|
|
|
+#define Z64FLGS 0xffff
|
|
+#define Z64FLGL 0xffffffff
|
|
+
|
|
if (ef_len == 0 || ef_buf == NULL)
|
|
return PK_COOL;
|
|
|
|
Trace((stderr,"\ngetZip64Data: scanning extra field of length %u\n",
|
|
ef_len));
|
|
|
|
- while (ef_len >= EB_HEADSIZE) {
|
|
+ while (ef_len >= EB_HEADSIZE)
|
|
+ {
|
|
eb_id = makeword(EB_ID + ef_buf);
|
|
eb_len = makeword(EB_LEN + ef_buf);
|
|
|
|
- if (eb_len > (ef_len - EB_HEADSIZE)) {
|
|
- /* discovered some extra field inconsistency! */
|
|
+ if (eb_len > (ef_len - EB_HEADSIZE))
|
|
+ {
|
|
+ /* Extra block length exceeds remaining extra field length. */
|
|
Trace((stderr,
|
|
"getZip64Data: block length %u > rest ef_size %u\n", eb_len,
|
|
ef_len - EB_HEADSIZE));
|
|
break;
|
|
}
|
|
- if (eb_id == EF_PKSZ64) {
|
|
-
|
|
+ if (eb_id == EF_PKSZ64)
|
|
+ {
|
|
int offset = EB_HEADSIZE;
|
|
|
|
- if (G.crec.ucsize == 0xffffffff || G.lrec.ucsize == 0xffffffff){
|
|
- G.lrec.ucsize = G.crec.ucsize = makeint64(offset + ef_buf);
|
|
- offset += sizeof(G.crec.ucsize);
|
|
+ if ((G.crec.ucsize == Z64FLGL) || (G.lrec.ucsize == Z64FLGL))
|
|
+ {
|
|
+ if (offset+ 8 > ef_len)
|
|
+ return PK_ERR;
|
|
+
|
|
+ G.crec.ucsize = G.lrec.ucsize = makeint64(offset + ef_buf);
|
|
+ offset += 8;
|
|
}
|
|
- if (G.crec.csize == 0xffffffff || G.lrec.csize == 0xffffffff){
|
|
- G.csize = G.lrec.csize = G.crec.csize = makeint64(offset + ef_buf);
|
|
- offset += sizeof(G.crec.csize);
|
|
+
|
|
+ if ((G.crec.csize == Z64FLGL) || (G.lrec.csize == Z64FLGL))
|
|
+ {
|
|
+ if (offset+ 8 > ef_len)
|
|
+ return PK_ERR;
|
|
+
|
|
+ G.csize = G.crec.csize = G.lrec.csize = makeint64(offset + ef_buf);
|
|
+ offset += 8;
|
|
}
|
|
- if (G.crec.relative_offset_local_header == 0xffffffff){
|
|
+
|
|
+ if (G.crec.relative_offset_local_header == Z64FLGL)
|
|
+ {
|
|
+ if (offset+ 8 > ef_len)
|
|
+ return PK_ERR;
|
|
+
|
|
G.crec.relative_offset_local_header = makeint64(offset + ef_buf);
|
|
- offset += sizeof(G.crec.relative_offset_local_header);
|
|
+ offset += 8;
|
|
}
|
|
- if (G.crec.disk_number_start == 0xffff){
|
|
+
|
|
+ if (G.crec.disk_number_start == Z64FLGS)
|
|
+ {
|
|
+ if (offset+ 4 > ef_len)
|
|
+ return PK_ERR;
|
|
+
|
|
G.crec.disk_number_start = (zuvl_t)makelong(offset + ef_buf);
|
|
- offset += sizeof(G.crec.disk_number_start);
|
|
+ offset += 4;
|
|
}
|
|
+#if 0
|
|
+ break; /* Expect only one EF_PKSZ64 block. */
|
|
+#endif /* 0 */
|
|
}
|
|
|
|
- /* Skip this extra field block */
|
|
+ /* Skip this extra field block. */
|
|
ef_buf += (eb_len + EB_HEADSIZE);
|
|
ef_len -= (eb_len + EB_HEADSIZE);
|
|
}
|
|
--
|
|
1.8.4.5
|
|
|