From a9bfab5b52d08879bbc5e0991684b700127ddcff Mon Sep 17 00:00:00 2001 From: mancha Date: Mon, 3 Nov 2014 Subject: Info-ZIP UnZip buffer overflow By carefully crafting a corrupt ZIP archive with "extra fields" that purport to have compressed blocks larger than the corresponding uncompressed blocks in STORED no-compression mode, an attacker can trigger a heap overflow that can result in application crash or possibly have other unspecified impact. This patch ensures that when extra fields use STORED mode, the "compressed" and uncompressed block sizes match. --- extract.c | 8 ++++++++ 1 file changed, 8 insertions(+) Index: unzip-6.0/extract.c =================================================================== --- unzip-6.0.orig/extract.c 2015-01-29 11:15:31.118569464 -0500 +++ unzip-6.0/extract.c 2015-01-29 11:15:31.114569431 -0500 @@ -2230,6 +2230,7 @@ ulg eb_ucsize; uch *eb_ucptr; int r; + ush method; if (compr_offset < 4) /* field is not compressed: */ return PK_OK; /* do nothing and signal OK */ @@ -2246,6 +2247,12 @@ ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN)))) return IZ_EF_TRUNC; /* no/bad compressed data! */ + method = makeword(eb + (EB_HEADSIZE + compr_offset)); + if ((method == STORED) && (eb_size - compr_offset != eb_ucsize)) + return PK_ERR; /* compressed & uncompressed + * should match in STORED + * method */ + if ( #ifdef INT_16BIT (((ulg)(extent)eb_ucsize) != eb_ucsize) ||