Blame SOURCES/zlib-1.2.13-Reject-overflows-of-zip-header-fields-in-minizip.patch

9f74df
From 73331a6a0481067628f065ffe87bb1d8f787d10c Mon Sep 17 00:00:00 2001
9f74df
From: Hans Wennborg <hans@chromium.org>
9f74df
Date: Fri, 18 Aug 2023 11:05:33 +0200
9f74df
Subject: [PATCH] Reject overflows of zip header fields in minizip.
9f74df
9f74df
This checks the lengths of the file name, extra field, and comment
9f74df
that would be put in the zip headers, and rejects them if they are
9f74df
too long. They are each limited to 65535 bytes in length by the zip
9f74df
format. This also avoids possible buffer overflows if the provided
9f74df
fields are too long.
9f74df
---
9f74df
 contrib/minizip/zip.c | 11 +++++++++++
9f74df
 1 file changed, 11 insertions(+)
9f74df
9f74df
diff --git a/contrib/minizip/zip.c b/contrib/minizip/zip.c
9f74df
index 3d3d4ca..0446109 100644
9f74df
--- a/contrib/minizip/zip.c
9f74df
+++ b/contrib/minizip/zip.c
9f74df
@@ -1043,6 +1043,17 @@ extern int ZEXPORT zipOpenNewFileInZip4_64(zipFile file, const char* filename, c
9f74df
       return ZIP_PARAMERROR;
9f74df
 #endif
9f74df
 
9f74df
+    // The filename and comment length must fit in 16 bits.
9f74df
+    if ((filename!=NULL) && (strlen(filename)>0xffff))
9f74df
+        return ZIP_PARAMERROR;
9f74df
+    if ((comment!=NULL) && (strlen(comment)>0xffff))
9f74df
+        return ZIP_PARAMERROR;
9f74df
+    // The extra field length must fit in 16 bits. If the member also requires
9f74df
+    // a Zip64 extra block, that will also need to fit within that 16-bit
9f74df
+    // length, but that will be checked for later.
9f74df
+    if ((size_extrafield_local>0xffff) || (size_extrafield_global>0xffff))
9f74df
+        return ZIP_PARAMERROR;
9f74df
+
9f74df
     zi = (zip64_internal*)file;
9f74df
 
9f74df
     if (zi->in_opened_file_inzip == 1)
9f74df
-- 
9f74df
2.41.0
9f74df