adenilson / rpms / zlib

Forked from rpms/zlib 8 months ago
Clone
1d3956
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
1d3956
From: Hans Wennborg <hans@chromium.org>
1d3956
Date: Fri, 18 Aug 2023 11:05:33 +0200
1d3956
Subject: [PATCH] Reject overflows of zip header fields in minizip.
1d3956
1d3956
This checks the lengths of the file name, extra field, and comment
1d3956
that would be put in the zip headers, and rejects them if they are
1d3956
too long. They are each limited to 65535 bytes in length by the zip
1d3956
format. This also avoids possible buffer overflows if the provided
1d3956
fields are too long.
1d3956
---
1d3956
 contrib/minizip/zip.c | 11 +++++++++++
1d3956
 1 file changed, 11 insertions(+)
1d3956
1d3956
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
1d3956
index 3d3d4ca..0446109 100644
1d3956
--- a/contrib/minizip/zip.c
1d3956
+++ b/contrib/minizip/zip.c
1d3956
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
1d3956
       return ZIP_PARAMERROR;
1d3956
 #endif
1d3956
 
1d3956
+    // The filename and comment length must fit in 16 bits.
1d3956
+    if ((filename!=NULL) && (strlen(filename)>0xffff))
1d3956
+        return ZIP_PARAMERROR;
1d3956
+    if ((comment!=NULL) && (strlen(comment)>0xffff))
1d3956
+        return ZIP_PARAMERROR;
1d3956
+    // The extra field length must fit in 16 bits. If the member also requires
1d3956
+    // a Zip64 extra block, that will also need to fit within that 16-bit
1d3956
+    // length, but that will be checked for later.
1d3956
+    if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
1d3956
+        return ZIP_PARAMERROR;
1d3956
+
1d3956
     zi = (zip64_internal*)file;
1d3956
 
1d3956
     if (zi->in_opened_file_inzip == 1)
1d3956
-- 
1d3956
2.41.0
1d3956