mirror of
https://git.in.rschanz.org/ryan77627/guix.git
synced 2024-12-30 08:02:38 -05:00
62 lines
2.2 KiB
Diff
62 lines
2.2 KiB
Diff
|
Fix CVE-2017-5976:
|
||
|
|
||
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5976
|
||
|
|
||
|
Patch copied from Debian.
|
||
|
|
||
|
Index: zziplib-0.13.62/zzip/memdisk.c
|
||
|
===================================================================
|
||
|
--- zziplib-0.13.62.orig/zzip/memdisk.c
|
||
|
+++ zziplib-0.13.62/zzip/memdisk.c
|
||
|
@@ -201,6 +201,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||
|
{
|
||
|
void *mem = malloc(ext1 + 2);
|
||
|
item->zz_ext[1] = mem;
|
||
|
+ item->zz_extlen[1] = ext1 + 2;
|
||
|
memcpy(mem, ptr1, ext1);
|
||
|
((char *) (mem))[ext1 + 0] = 0;
|
||
|
((char *) (mem))[ext1 + 1] = 0;
|
||
|
@@ -209,6 +210,7 @@ zzip_mem_entry_new(ZZIP_DISK * disk, ZZI
|
||
|
{
|
||
|
void *mem = malloc(ext2 + 2);
|
||
|
item->zz_ext[2] = mem;
|
||
|
+ item->zz_extlen[2] = ext2 + 2;
|
||
|
memcpy(mem, ptr2, ext2);
|
||
|
((char *) (mem))[ext2 + 0] = 0;
|
||
|
((char *) (mem))[ext2 + 1] = 0;
|
||
|
@@ -245,8 +247,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
|
||
|
while (1)
|
||
|
{
|
||
|
ZZIP_EXTRA_BLOCK *ext = entry->zz_ext[i];
|
||
|
- if (ext)
|
||
|
+ if (ext && (entry->zz_extlen[i] >= zzip_extra_block_headerlength))
|
||
|
{
|
||
|
+ char *endblock = (char *)ext + entry->zz_extlen[i];
|
||
|
+
|
||
|
while (*(short *) (ext->z_datatype))
|
||
|
{
|
||
|
if (datatype == zzip_extra_block_get_datatype(ext))
|
||
|
@@ -257,6 +261,10 @@ zzip_mem_entry_extra_block(ZZIP_MEM_ENTR
|
||
|
e += zzip_extra_block_headerlength;
|
||
|
e += zzip_extra_block_get_datasize(ext);
|
||
|
ext = (void *) e;
|
||
|
+ if (e >= endblock)
|
||
|
+ {
|
||
|
+ break;
|
||
|
+ }
|
||
|
____;
|
||
|
}
|
||
|
}
|
||
|
Index: zziplib-0.13.62/zzip/memdisk.h
|
||
|
===================================================================
|
||
|
--- zziplib-0.13.62.orig/zzip/memdisk.h
|
||
|
+++ zziplib-0.13.62/zzip/memdisk.h
|
||
|
@@ -66,6 +66,7 @@ struct _zzip_mem_entry {
|
||
|
int zz_filetype; /* (from "z_filetype") */
|
||
|
char* zz_comment; /* zero-terminated (from "comment") */
|
||
|
ZZIP_EXTRA_BLOCK* zz_ext[3]; /* terminated by null in z_datatype */
|
||
|
+ int zz_extlen[3]; /* length of zz_ext[i] in bytes */
|
||
|
}; /* the extra blocks are NOT converted */
|
||
|
|
||
|
#define _zzip_mem_disk_findfirst(_d_) ((_d_)->list)
|