From 7eec5e4b9a4b6efea5ef5f6b793a6cbef40e980d Mon Sep 17 00:00:00 2001 From: Jakub Martisko Date: Wed, 23 May 2018 10:15:07 +0200 Subject: [PATCH] fix: CVE-2018-7726 --- zzip/zip.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/zzip/zip.c b/zzip/zip.c index a574b24..a6c7ced 100644 --- a/zzip/zip.c +++ b/zzip/zip.c @@ -323,6 +323,8 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, trailer->zz_rootseek = zzip_disk_trailer_rootseek(orig); trailer->zz_rootsize = zzip_disk_trailer_rootsize(orig); # endif + if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) + return(ZZIP_CORRUPTED); // forged value __fixup_rootseek(offset + tail - mapped, trailer); { return(0); } @@ -343,6 +345,14 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize, zzip_disk64_trailer_finalentries(orig); trailer->zz_rootseek = zzip_disk64_trailer_rootseek(orig); trailer->zz_rootsize = zzip_disk64_trailer_rootsize(orig); + if (trailer->zz_rootseek < 0 || trailer->zz_rootsize < 0) + return(ZZIP_CORRUPTED); // forged value + /* + * "extract data from files archived in a single zip file." + * So the file offsets must be within the current ZIP archive! + */ + if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize) + return(ZZIP_CORRUPTED); { return(0); } # endif } @@ -410,6 +420,8 @@ __zzip_parse_root_directory(int fd, zzip_off64_t zz_rootsize = _disk_trailer_rootsize(trailer); zzip_off64_t zz_rootseek = _disk_trailer_rootseek(trailer); __correct_rootseek(zz_rootseek, zz_rootsize, trailer); + if (zz_entries < 0 || zz_rootseek < 0 || zz_rootsize < 0) + return ZZIP_CORRUPTED; hdr0 = (struct zzip_dir_hdr *) malloc(zz_rootsize); if (! hdr0) -- 2.14.3