|
 |
4bd5ce |
From 75525dbdf9b7ed003e343c42710e8b13f73a7607 Mon Sep 17 00:00:00 2001
|
|
|
4bd5ce |
From: Ondrej Dubaj <odubaj@redhat.com>
|
|
|
4bd5ce |
Date: Thu, 23 Jan 2020 15:08:13 +0100
|
|
|
4bd5ce |
Subject: [PATCH] Fix buffer underflows in the zipfile extension associated
|
|
|
4bd5ce |
with zero-length or NULL filename in the ZIP archive. But report on the
|
|
|
4bd5ce |
mailing list by Yongheng and Rui.
|
|
|
4bd5ce |
|
|
|
4bd5ce |
---
|
|
|
4bd5ce |
ext/misc/zipfile.c | 14 +++++++++-----
|
|
|
4bd5ce |
test/zipfile.test | 13 +++++++++++++
|
|
|
4bd5ce |
2 files changed, 22 insertions(+), 5 deletions(-)
|
|
|
4bd5ce |
|
|
|
4bd5ce |
diff --git a/ext/misc/zipfile.c b/ext/misc/zipfile.c
|
|
|
4bd5ce |
index e6141ef..7fd4074 100644
|
|
|
4bd5ce |
--- a/ext/misc/zipfile.c
|
|
|
4bd5ce |
+++ b/ext/misc/zipfile.c
|
|
|
4bd5ce |
@@ -1433,8 +1433,8 @@ static int zipfileGetMode(
|
|
|
4bd5ce |
** identical, ignoring any trailing '/' character in either path. */
|
|
|
4bd5ce |
static int zipfileComparePath(const char *zA, const char *zB, int nB){
|
|
|
4bd5ce |
int nA = (int)strlen(zA);
|
|
|
4bd5ce |
- if( zA[nA-1]=='/' ) nA--;
|
|
|
4bd5ce |
- if( zB[nB-1]=='/' ) nB--;
|
|
|
4bd5ce |
+ if( nA>0 && zA[nA-1]=='/' ) nA--;
|
|
|
4bd5ce |
+ if( nB>0 && zB[nB-1]=='/' ) nB--;
|
|
|
4bd5ce |
if( nA==nB && memcmp(zA, zB, nA)==0 ) return 0;
|
|
|
4bd5ce |
return 1;
|
|
|
4bd5ce |
}
|
|
|
4bd5ce |
@@ -1628,11 +1628,15 @@ static int zipfileUpdate(
|
|
|
4bd5ce |
** '/'. This appears to be required for compatibility with info-zip
|
|
|
4bd5ce |
** (the unzip command on unix). It does not create directories
|
|
|
4bd5ce |
** otherwise. */
|
|
|
4bd5ce |
- if( zPath[nPath-1]!='/' ){
|
|
|
4bd5ce |
+ if( nPath<=0 || zPath[nPath-1]!='/' ){
|
|
|
4bd5ce |
zFree = sqlite3_mprintf("%s/", zPath);
|
|
|
4bd5ce |
- if( zFree==0 ){ rc = SQLITE_NOMEM; }
|
|
|
4bd5ce |
zPath = (const char*)zFree;
|
|
|
4bd5ce |
- nPath = (int)strlen(zPath);
|
|
|
4bd5ce |
+ if( zFree==0 ){
|
|
|
4bd5ce |
+ rc = SQLITE_NOMEM;
|
|
|
4bd5ce |
+ nPath = 0;
|
|
|
4bd5ce |
+ }else{
|
|
|
4bd5ce |
+ nPath = (int)strlen(zPath);
|
|
|
4bd5ce |
+ }
|
|
|
4bd5ce |
}
|
|
|
4bd5ce |
}
|
|
|
4bd5ce |
|
|
|
4bd5ce |
diff --git a/test/zipfile.test b/test/zipfile.test
|
|
|
4bd5ce |
index e4b8088..9f07c0a 100644
|
|
|
4bd5ce |
--- a/test/zipfile.test
|
|
|
4bd5ce |
+++ b/test/zipfile.test
|
|
|
4bd5ce |
@@ -821,4 +821,17 @@ do_execsql_test 14.10 {
|
|
|
4bd5ce |
PRAGMA integrity_check;
|
|
|
4bd5ce |
} {3 ok}
|
|
|
4bd5ce |
|
|
|
4bd5ce |
+# 2019-12-26 More problems in zipfile from the Yongheng and Rui fuzzer
|
|
|
4bd5ce |
+#
|
|
|
4bd5ce |
+do_execsql_test 15.10 {
|
|
|
4bd5ce |
+ DROP TABLE IF EXISTS t1;
|
|
|
4bd5ce |
+ CREATE VIRTUAL TABLE t1 USING zipfile(null);
|
|
|
4bd5ce |
+ REPLACE INTO t1 VALUES(null,null,0,null,null,null,null);
|
|
|
4bd5ce |
+} {}
|
|
|
4bd5ce |
+do_execsql_test 15.20 {
|
|
|
4bd5ce |
+ DROP TABLE IF EXISTS t2;
|
|
|
4bd5ce |
+ CREATE VIRTUAL TABLE t2 USING zipfile(null);
|
|
|
4bd5ce |
+ REPLACE INTO t2 values(null,null,null,null,null,10,null);
|
|
|
4bd5ce |
+} {}
|
|
|
4bd5ce |
+
|
|
|
4bd5ce |
finish_test
|
|
|
4bd5ce |
--
|
|
|
4bd5ce |
2.19.1
|
|
|
4bd5ce |
|