unzip/CVE-2022-0529.patch

From: Enrico Zini <enrico@debian.org>
Subject: Fix wide string conversion
Bug-Debian: https://bugs.debian.org/1010355
X-Debian-version: 6.0-27

--- a/process.c
+++ b/process.c
@@ -2507,13 +2507,15 @@
   char buf[9];
   char *buffer = NULL;
   char *local_string = NULL;
+  size_t buffer_size;
 
   for (wsize = 0; wide_string[wsize]; wsize++) ;
 
   if (max_bytes < MAX_ESCAPE_BYTES)
     max_bytes = MAX_ESCAPE_BYTES;
 
-  if ((buffer = (char *)malloc(wsize * max_bytes + 1)) == NULL) {
+  buffer_size = wsize * max_bytes + 1;
+  if ((buffer = (char *)malloc(buffer_size)) == NULL) {
     return NULL;
   }
 
@@ -2552,7 +2554,11 @@
       /* no MB for this wide */
         /* use escape for wide character */
         char *escape_string = wide_to_escape_string(wide_string[i]);
-        strcat(buffer, escape_string);
+        size_t buffer_len = strlen(buffer);
+        size_t escape_string_len = strlen(escape_string);
+        if (buffer_len + escape_string_len + 1 > buffer_size)
+          escape_string_len = buffer_size - buffer_len - 1;
+        strncat(buffer, escape_string, escape_string_len);
         free(escape_string);
     }
   }
Accepting request 1005199 from home:dspinella:branches:Archiving - Fix CVE-2022-0530, SIGSEGV during the conversion of an utf-8 string to a local string (CVE-2022-0530, bsc#1196177) * CVE-2022-0530.patch - Fix CVE-2022-0529, Heap out-of-bound writes and reads during conversion of wide string to local string (CVE-2022-0529, bsc#1196180) * CVE-2022-0529.patch OBS-URL: https://build.opensuse.org/request/show/1005199 OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=58 2022-09-21 14:52:47 +02:00			`From: Enrico Zini <enrico@debian.org>`
			`Subject: Fix wide string conversion`
			`Bug-Debian: https://bugs.debian.org/1010355`
			`X-Debian-version: 6.0-27`

			`--- a/process.c`
			`+++ b/process.c`
			`@@ -2507,13 +2507,15 @@`
			`char buf[9];`
			`char *buffer = NULL;`
			`char *local_string = NULL;`
			`+ size_t buffer_size;`

			`for (wsize = 0; wide_string[wsize]; wsize++) ;`

			`if (max_bytes < MAX_ESCAPE_BYTES)`
			`max_bytes = MAX_ESCAPE_BYTES;`

			`- if ((buffer = (char )malloc(wsize max_bytes + 1)) == NULL) {`
			`+ buffer_size = wsize * max_bytes + 1;`
			`+ if ((buffer = (char *)malloc(buffer_size)) == NULL) {`
			`return NULL;`
			`}`

			`@@ -2552,7 +2554,11 @@`
			`/* no MB for this wide */`
			`/* use escape for wide character */`
			`char *escape_string = wide_to_escape_string(wide_string[i]);`
			`- strcat(buffer, escape_string);`
			`+ size_t buffer_len = strlen(buffer);`
			`+ size_t escape_string_len = strlen(escape_string);`
			`+ if (buffer_len + escape_string_len + 1 > buffer_size)`
			`+ escape_string_len = buffer_size - buffer_len - 1;`
			`+ strncat(buffer, escape_string, escape_string_len);`
			`free(escape_string);`
			`}`
			`}`