From eca24c7ddd296fe8dd112fd89fb288411e407379 Mon Sep 17 00:00:00 2001
From: OpenWrt community <openwrt-devel@lists.openwrt.org>
Date: Mon, 30 Oct 2023 14:46:57 +0100
Subject: [PATCH] fix: out-of-bounds read or write and crash

https://nvd.nist.gov/vuln/detail/CVE-2014-9636

CVE: CVE-2014-9636
---
 extract.c | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/extract.c b/extract.c
index ec31e60..d816603 100644
--- a/extract.c
+++ b/extract.c
@@ -2228,6 +2228,7 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
     ulg eb_ucsize;
     uch *eb_ucptr;
     int r;
+    ush eb_compr_method;
 
     if (compr_offset < 4)                /* field is not compressed: */
         return PK_OK;                    /* do nothing and signal OK */
@@ -2244,6 +2245,14 @@ static int test_compr_eb(__G__ eb, eb_size, compr_offset, test_uc_ebdata)
      ((eb_ucsize > 0L) && (eb_size <= (compr_offset + EB_CMPRHEADLEN))))
         return IZ_EF_TRUNC;             /* no/bad compressed data! */
 
+    /* 2014-11-03 Michal Zalewski, SMS.
+     * For STORE method, compressed and uncompressed sizes must agree.
+     * http://www.info-zip.org/phpBB3/viewtopic.php?f=7&t=450
+     */
+    eb_compr_method = makeword( eb + (EB_HEADSIZE + compr_offset));
+    if ((eb_compr_method == STORED) && (eb_size - compr_offset != eb_ucsize))
+        return PK_ERR;
+
     if (
 #ifdef INT_16BIT
         (((ulg)(extent)eb_ucsize) != eb_ucsize) ||
--