From 0c0c9256b0903f664bca25dd8d924211f81e01d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Josef=20M=C3=B6llers?= <josef@firefly.moellers.local>
Date: Fri, 2 Feb 2018 14:09:32 +0100
Subject: [PATCH] Reject the ZIP file and report it as corrupt if the size of
the central directory and/or the offset of start of central directory point
beyond the end of the ZIP file. [CVE-2018-6484]
diff --git a/zzip/zip.c b/zzip/zip.c
index f0eac2b..67e662f 100644
--- a/zzip/zip.c
+++ b/zzip/zip.c
@@ -320,6 +320,12 @@ __zzip_fetch_disk_trailer(int fd, zzip_off_t filesize,
return(ZZIP_CORRUPTED); // forged value
__fixup_rootseek(offset + tail - mapped, trailer);
+ /*
+ * "extract data from files archived in a single zip file."
+ * So the file offsets must be within the current ZIP archive!
+ */
+ if (trailer->zz_rootseek >= filesize || (trailer->zz_rootseek + trailer->zz_rootsize) >= filesize)
+ return(ZZIP_CORRUPTED);
{ return(0); }
} else if ((*tail == 'P') &&
end - tail >=