From 7eec5e4b9a4b6efea5ef5f6b793a6cbef40e980d Mon Sep 17 00:00:00 2001
From: Jakub Martisko <jamartis@redhat.com>
Date: Wed, 23 May 2018 10:15:07 +0200
Subject: [PATCH] fix: CVE-2018-7726
---
zzip/zip.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/zzip/zip.c b/zzip/zip.c
index a574b24..a6c7ced 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -323,6 +323,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig);
trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig);
# endif
+ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
+ return(ZZIP_CORRUPTED); // forged value
__fixup_rootseek(offset + tail - mapped, trailer);
{ return(0); }
@@ -343,6 +345,14 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
zzip_disk64_trailer_finalentries(orig);
trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig);
trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig);
+ if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0)
+ return(ZZIP_CORRUPTED); // forged value
+ /*
+ * "extract data from files archived in a single zip file."
+ * So the file offsets must be within the current ZIP archive!
+ */
+ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
+ return(ZZIP_CORRUPTED);
{ return(0); }
# endif
}
@@ -410,6 +420,8 @@ __zzip_parse_root_directory(int fd,
zzip_off64_t zz_rootsize = _disk_trailer_rootsize(trailer);
zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer);
__correct_rootseek(zz_rootseek, zz_rootsize, trailer);
+ if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0)
+ return ZZIP_CORRUPTED;
hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize);
if (! hdr0)
--
2.14.3