From 170eddb01887e61a581ed1ac78aff05a476bbe59 Mon Sep 17 00:00:00 2001 From: OpenWrt community Date: Mon, 30 Oct 2023 14:37:54 +0100 Subject: [PATCH] fix: heap-based buffer overflow in the CRC32 verification https://nvd.nist.gov/vuln/detail/CVE-2014-8139 CVE: CVE-2014-8139 --- extract.c | 17 ++++++++++++++--- 1 file changed, 14 insertions(+), 3 deletions(-) diff --git a/extract.c b/extract.c index 1acd769..df0fa1c 100644 --- a/extract.c +++ b/extract.c @@ -1,5 +1,5 @@ /* - Copyright (c) 1990-2009 Info-ZIP. All rights reserved. + Copyright (c) 1990-2014 Info-ZIP. All rights reserved. See the accompanying file LICENSE, version 2009-Jan-02 or later (the contents of which are also included in unzip.h) for terms of use. @@ -298,6 +298,8 @@ char ZCONST Far TruncNTSD[] = #ifndef SFX static ZCONST char Far InconsistEFlength[] = "bad extra-field entry:\n \ EF block length (%u bytes) exceeds remaining EF data (%u bytes)\n"; + static ZCONST char Far TooSmallEBlength[] = "bad extra-field entry:\n \ + EF block length (%u bytes) invalid (< %d)\n"; static ZCONST char Far InvalidComprDataEAs[] = " invalid compressed data for EAs\n"; # if (defined(WIN32) && defined(NTSD_EAS)) @@ -2023,7 +2025,8 @@ static int TestExtraField(__G__ ef, ef_len) ebID = makeword(ef); ebLen = (unsigned)makeword(ef+EB_LEN); - if (ebLen > (ef_len - EB_HEADSIZE)) { + if (ebLen > (ef_len - EB_HEADSIZE)) + { /* Discovered some extra field inconsistency! */ if (uO.qflag) Info(slide, 1, ((char *)slide, "%-22s ", @@ -2158,11 +2161,19 @@ static int TestExtraField(__G__ ef, ef_len) } break; case EF_PKVMS: - if (makelong(ef+EB_HEADSIZE) != + if (ebLen < 4) + { + Info(slide, 1, + ((char *)slide, LoadFarString(TooSmallEBlength), + ebLen, 4)); + } + else if (makelong(ef+EB_HEADSIZE) != crc32(CRCVAL_INITIAL, ef+(EB_HEADSIZE+4), (extent)(ebLen-4))) + { Info(slide, 1, ((char *)slide, LoadFarString(BadCRC_EAs))); + } break; case EF_PKW32: case EF_PKUNIX: --