zziplib/CVE-2018-7726.patch

Index: zziplib-0.13.69/docs/zziplib.html
===================================================================
--- zziplib-0.13.69.orig/docs/zziplib.html
+++ zziplib-0.13.69/docs/zziplib.html
@@ -415,7 +415,8 @@ generated 2003-12-12
  <code>(<nobr>int fd</nobr>,
 <nobr>struct zzip_disk_trailer * trailer</nobr>,
 <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
 
 </td></tr><tr valign="top">
 <td valign="top"><code>ZZIP_DIR*
@@ -1091,7 +1092,8 @@ generated 2003-12-12
  <code>(<nobr>int fd</nobr>,
 <nobr>struct zzip_disk_trailer * trailer</nobr>,
 <nobr>struct zzip_dir_hdr ** hdr_return</nobr>,
-<nobr>zzip_plugin_io_t io</nobr>)</code>
+<nobr>zzip_plugin_io_t io</nobr>,
+<nobr>zzip_off_t filesize</nobr>)</code>
 
 </code></code><dt>
 <dd><p> &nbsp;(../zzip/zip.c)
Index: zziplib-0.13.69/zzip/zip.c
===================================================================
--- zziplib-0.13.69.orig/zzip/zip.c
+++ zziplib-0.13.69/zzip/zip.c
@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz
 int __zzip_parse_root_directory(int fd,
                                 struct _disk_trailer *trailer,
                                 struct zzip_dir_hdr **hdr_return,
-                                zzip_plugin_io_t io);
+                                zzip_plugin_io_t io,
+				zzip_off_t filesize);
 
 _zzip_inline static char *__zzip_aligned4(char *p);
 
@@ -406,7 +407,8 @@ int
 __zzip_parse_root_directory(int fd,
                             struct _disk_trailer *trailer,
                             struct zzip_dir_hdr **hdr_return,
-                            zzip_plugin_io_t io)
+                            zzip_plugin_io_t io,
+			    zzip_off_t filesize);
 {
     auto struct zzip_disk_entry dirent;
     struct zzip_dir_hdr *hdr;
@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,
     zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
     __correct_rootseek(zz_rootseek, zz_rootsize, trailer);
 
+    if (zz_rootsize <= 0 || zz_rootseek < 0 || zz_rootseek >= filesize)
+    	return ZZIP_CORRUPTED;
+
     if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
         return ZZIP_CORRUPTED;
 
@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)
           (long) _disk_trailer_rootseek(&trailer));
 
     if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,
-                                          dir->io)) != 0)
+                                          dir->io, filesize)) != 0)
         { goto error; }
   error:
     return rv;
Accepting request 588647 from home:jmoellers:branches:devel:libraries:c_c++ OBS-URL: https://build.opensuse.org/request/show/588647 OBS-URL: https://build.opensuse.org/package/show/devel:libraries:c_c++/zziplib?expand=0&rev=35 2018-03-19 17:24:00 +00:00			`Index: zziplib-0.13.69/docs/zziplib.html`
			`===================================================================`
			`--- zziplib-0.13.69.orig/docs/zziplib.html`
			`+++ zziplib-0.13.69/docs/zziplib.html`
			`@@ -415,7 +415,8 @@ generated 2003-12-12`
			`<code>(<nobr>int fd</nobr>,`
			`<nobr>struct zzip_disk_trailer * trailer</nobr>,`
			`<nobr>struct zzip_dir_hdr ** hdr_return</nobr>,`
			`-<nobr>zzip_plugin_io_t io</nobr>)</code>`
			`+<nobr>zzip_plugin_io_t io</nobr>,`
			`+<nobr>zzip_off_t filesize</nobr>)</code>`

			`</td></tr><tr valign="top">`
			`<td valign="top"><code>ZZIP_DIR*`
			`@@ -1091,7 +1092,8 @@ generated 2003-12-12`
			`<code>(<nobr>int fd</nobr>,`
			`<nobr>struct zzip_disk_trailer * trailer</nobr>,`
			`<nobr>struct zzip_dir_hdr ** hdr_return</nobr>,`
			`-<nobr>zzip_plugin_io_t io</nobr>)</code>`
			`+<nobr>zzip_plugin_io_t io</nobr>,`
			`+<nobr>zzip_off_t filesize</nobr>)</code>`

			`</code></code><dt>`
			`<dd><p>  (../zzip/zip.c)`
			`Index: zziplib-0.13.69/zzip/zip.c`
			`===================================================================`
			`--- zziplib-0.13.69.orig/zzip/zip.c`
			`+++ zziplib-0.13.69/zzip/zip.c`
			`@@ -82,7 +82,8 @@ int __zzip_fetch_disk_trailer(int fd, zz`
			`int __zzip_parse_root_directory(int fd,`
			`struct _disk_trailer *trailer,`
			`struct zzip_dir_hdr **hdr_return,`
			`- zzip_plugin_io_t io);`
			`+ zzip_plugin_io_t io,`
			`+ zzip_off_t filesize);`

			`_zzip_inline static char __zzip_aligned4(char p);`

			`@@ -406,7 +407,8 @@ int`
			`__zzip_parse_root_directory(int fd,`
			`struct _disk_trailer *trailer,`
			`struct zzip_dir_hdr **hdr_return,`
			`- zzip_plugin_io_t io)`
			`+ zzip_plugin_io_t io,`
			`+ zzip_off_t filesize);`
			`{`
			`auto struct zzip_disk_entry dirent;`
			`struct zzip_dir_hdr *hdr;`
			`@@ -421,6 +423,9 @@ __zzip_parse_root_directory(int fd,`
			`zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);`
			`__correct_rootseek(zz_rootseek, zz_rootsize, trailer);`

			`+ if (zz_rootsize <= 0 \|\| zz_rootseek < 0 \|\| zz_rootseek >= filesize)`
			`+ return ZZIP_CORRUPTED;`
			`+`
			`if (zz_entries < 0 \|\| zz_rootseek < 0 \|\| zz_rootsize < 0)`
			`return ZZIP_CORRUPTED;`

			`@@ -755,7 +760,7 @@ __zzip_dir_parse(ZZIP_DIR * dir)`
			`(long) _disk_trailer_rootseek(&trailer));`

			`if ((rv = __zzip_parse_root_directory(dir->fd, &trailer, &dir->hdr0,`
			`- dir->io)) != 0)`
			`+ dir->io, filesize)) != 0)`
			`{ goto error; }`
			`error:`
			`return rv;`