From 13f4d47275aca28de7b117359da79f1000e9bcb7 Mon Sep 17 00:00:00 2001

From: Jakub Martisko <jamartis@redhat.com>

Date: Wed, 23 May 2018 09:59:18 +0200

Subject: [PATCH] fix: CVE-2018-7725

---

 zzip/memdisk.c |  9 +++++++++

 zzip/mmapped.c | 11 ++++++++++-

 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/zzip/memdisk.c b/zzip/memdisk.c

index dc00ea8..043893e 100644

--- a/zzip/memdisk.c

+++ b/zzip/memdisk.c

@@ -413,11 +413,21 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir, ZZIP_MEM_ENTRY * entry)

     file->zlib.avail_in = zzip_mem_entry_csize(entry);

     file->zlib.next_in = zzip_mem_entry_to_data(entry);

+    if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)

+         goto error;

+    if (file->zlib.next_in < file->buffer)

+         goto error;

+

     if (! zzip_mem_entry_data_deflated(entry) ||

         inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)

         { free (file); return 0; }

     return file;

+

+error:

+    errno = EBADMSG;

+    free (file);

+    return NULL;

 }

 zzip__new__ ZZIP_MEM_DISK_FILE *

diff --git a/zzip/mmapped.c b/zzip/mmapped.c

index 6fafc11..ed3a6cc 100644

--- a/zzip/mmapped.c

+++ b/zzip/mmapped.c

@@ -549,7 +549,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)

     file->avail = zzip_file_header_usize(header);

     if (! file->avail || zzip_file_header_data_stored(header))

-        { file->stored = zzip_file_header_to_data (header); return file; }

+    { 

+        file->stored = zzip_file_header_to_data (header); 

+        if (file->stored + file->avail >= disk->endbuf)

+            goto error;

+        return file; 

+    }

     file->stored = 0;

     file->zlib.opaque = 0;

@@ -563,6 +568,10 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)

         { free (file); return 0; }

     return file;

+error:

+    free (file);

+    errno = EBADMSG;

+    return 0; 

     ____;

 }

-- 

2.14.3