1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
|
Fix CVE-2017-5976:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
Patch copied from Debian.
Index: zziplib-0.13.62/zzip/memdisk.c
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.c
+++ zziplib-0.13.62/zzip/memdisk.c
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext1 + 2);
item->zz_ext[1] = mem;
+ item->zz_extlen[1] = ext1 + 2;
memcpy(mem, ptr1, ext1);
((char *) (mem))[ext1 + 0] = 0;
((char *) (mem))[ext1 + 1] = 0;
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
{
void *mem = malloc(ext2 + 2);
item->zz_ext[2] = mem;
+ item->zz_extlen[2] = ext2 + 2;
memcpy(mem, ptr2, ext2);
((char *) (mem))[ext2 + 0] = 0;
((char *) (mem))[ext2 + 1] = 0;
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
while (1)
{
ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
- if (ext)
+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
{
+ char *endblock = (char *)ext + entry->zz_extlen[i];
+
while (*(short *) (ext->z_datatype))
{
if (datatype == zzip_extra_block_get_datatype(ext))
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
e += zzip_extra_block_headerlength;
e += zzip_extra_block_get_datasize(ext);
ext = (void *) e;
+ if (e >= endblock)
+ {
+ break;
+ }
____;
}
}
Index: zziplib-0.13.62/zzip/memdisk.h
===================================================================
--- zziplib-0.13.62.orig/zzip/memdisk.h
+++ zziplib-0.13.62/zzip/memdisk.h
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
int zz_filetype; /* (from "z_filetype") */
char* zz_comment; /* zero-terminated (from "comment") */
ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
}; /* the extra blocks are NOT converted */
#define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
|