From 13f4d47275aca28de7b117359da79f1000e9bcb7 Mon Sep 17 00:00:00 2001
From: Jakub Martisko <jamartis@redhat.com>
Date: Wed, 23 May 2018 09:59:18 +0200
Subject: [PATCH] fix: CVE-2018-7725

---
 zzip/memdisk.c |  9 +++++++++
 zzip/mmapped.c | 11 ++++++++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/zzip/memdisk.c b/zzip/memdisk.c
index dc00ea8..043893e 100644
--- a/zzip/memdisk.c
+++ b/zzip/memdisk.c
@@ -413,11 +413,21 @@ zzip_mem_entry_fopen(ZZIP_MEM_DISK * dir, ZZIP_MEM_ENTRY * entry)
     file->zlib.avail_in = zzip_mem_entry_csize(entry);
     file->zlib.next_in = zzip_mem_entry_to_data(entry);
 
+    if (file->zlib.next_in + file->zlib.avail_in >= file->endbuf)
+         goto error;
+    if (file->zlib.next_in < file->buffer)
+         goto error;
+
     if (! zzip_mem_entry_data_deflated(entry) ||
         inflateInit2(&file->zlib, -MAX_WBITS) != Z_OK)
         { free (file); return 0; }
 
     return file;
+
+error:
+    errno = EBADMSG;
+    free (file);
+    return NULL;
 }
 
 zzip__new__ ZZIP_MEM_DISK_FILE *
diff --git a/zzip/mmapped.c b/zzip/mmapped.c
index 6fafc11..ed3a6cc 100644
--- a/zzip/mmapped.c
+++ b/zzip/mmapped.c
@@ -549,7 +549,12 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
     file->avail = zzip_file_header_usize(header);
 
     if (! file->avail || zzip_file_header_data_stored(header))
-        { file->stored = zzip_file_header_to_data (header); return file; }
+    { 
+        file->stored = zzip_file_header_to_data (header); 
+        if (file->stored + file->avail >= disk->endbuf)
+            goto error;
+        return file; 
+    }
 
     file->stored = 0;
     file->zlib.opaque = 0;
@@ -563,6 +568,10 @@ zzip_disk_entry_fopen(ZZIP_DISK * disk, ZZIP_DISK_ENTRY * entry)
         { free (file); return 0; }
 
     return file;
+error:
+    free (file);
+    errno = EBADMSG;
+    return 0; 
     ____;
 }
 
-- 
2.14.3