forked from pool/unzip
3f03a2580c
- Add CVE-2018-1000035.patch: Fix a heap-based buffer overflow in password protected ZIP archives (CVE-2018-1000035 bsc#1080074) OBS-URL: https://build.opensuse.org/request/show/574265 OBS-URL: https://build.opensuse.org/package/show/Archiving/unzip?expand=0&rev=45
40 lines
1.3 KiB
Diff
40 lines
1.3 KiB
Diff
From: <kbabioch@suse.com>
|
|
Date: Thu Feb 8 15:10:03 CET 2018
|
|
Upstream: merged
|
|
References: http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=548
|
|
|
|
Index: fileio.c
|
|
===================================================================
|
|
--- fileio.c.orig
|
|
+++ fileio.c
|
|
@@ -1613,7 +1613,11 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
|
|
int r = IZ_PW_ENTERED;
|
|
char *m;
|
|
char *prompt;
|
|
-
|
|
+ char *zfnf;
|
|
+ char *efnf;
|
|
+ size_t zfnfl;
|
|
+ int isOverflow;
|
|
+
|
|
#ifndef REENTRANT
|
|
/* tell picky compilers to shut up about "unused variable" warnings */
|
|
pG = pG;
|
|
@@ -1621,7 +1625,15 @@ int UZ_EXP UzpPassword (pG, rcnt, pwbuf,
|
|
|
|
if (*rcnt == 0) { /* First call for current entry */
|
|
*rcnt = 2;
|
|
- if ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL) {
|
|
+ zfnf = FnFilter1(zfn);
|
|
+ efnf = FnFilter2(efn);
|
|
+ zfnfl = strlen(zfnf);
|
|
+ isOverflow = TRUE;
|
|
+ if (2*FILNAMSIZ >= zfnfl && (2*FILNAMSIZ - zfnfl) >= strlen(efnf))
|
|
+ {
|
|
+ isOverflow = FALSE;
|
|
+ }
|
|
+ if ((isOverflow == FALSE) && ((prompt = (char *)malloc(2*FILNAMSIZ + 15)) != (char *)NULL)) {
|
|
sprintf(prompt, LoadFarString(PasswPrompt),
|
|
FnFilter1(zfn), FnFilter2(efn));
|
|
m = prompt;
|