703843922a
* gnu/packages/patches/unzip-32bit-zipbomb-fix.patch: New patch. * gnu/local.mk (dist_patch_DATA): Register it. * gnu/packages/compression.scm (unzip/fixed): Apply patch.
50 lines
2 KiB
Diff
50 lines
2 KiB
Diff
From 13f0260beae851f7d5dd96e9ef757d8d6d7daac1 Mon Sep 17 00:00:00 2001
|
|
From: Mark Adler <madler@alumni.caltech.edu>
|
|
Date: Sun, 9 Feb 2020 07:20:13 -0800
|
|
Subject: [PATCH] Fix false overlapped components detection on 32-bit systems.
|
|
|
|
32-bit systems with ZIP64_SUPPORT enabled could have different
|
|
size types for zoff_t and zusz_t. That resulted in bad parameter
|
|
passing to the bound tracking functions, itself due to the lack of
|
|
use of C function prototypes in unzip. This commit assures that
|
|
parameters are cast properly for those calls.
|
|
|
|
This problem occurred only for ill-chosen make options, which give
|
|
a 32-bit zoff_t. A proper build will result in a zoff_t of 64 bits,
|
|
even on 32-bit systems.
|
|
---
|
|
extract.c | 7 ++++---
|
|
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/extract.c b/extract.c
|
|
index 1b73cb0..d9866f9 100644
|
|
--- a/extract.c
|
|
+++ b/extract.c
|
|
@@ -329,7 +329,7 @@ static ZCONST char Far OverlappedComponents[] =
|
|
|
|
|
|
/* A growable list of spans. */
|
|
-typedef zoff_t bound_t;
|
|
+typedef zusz_t bound_t;
|
|
typedef struct {
|
|
bound_t beg; /* start of the span */
|
|
bound_t end; /* one past the end of the span */
|
|
@@ -518,7 +518,8 @@ int extract_or_test_files(__G) /* return PK-type error code */
|
|
return PK_MEM;
|
|
}
|
|
if ((G.extra_bytes != 0 &&
|
|
- cover_add((cover_t *)G.cover, 0, G.extra_bytes) != 0) ||
|
|
+ cover_add((cover_t *)G.cover,
|
|
+ (bound_t)0, (bound_t)G.extra_bytes) != 0) ||
|
|
(G.ecrec.have_ecr64 &&
|
|
cover_add((cover_t *)G.cover, G.ecrec.ec64_start,
|
|
G.ecrec.ec64_end) != 0) ||
|
|
@@ -1216,7 +1217,7 @@ static int extract_or_test_entrylist(__G__ numchunk,
|
|
|
|
/* seek_zipf(__G__ pInfo->offset); */
|
|
request = G.pInfo->offset + G.extra_bytes;
|
|
- if (cover_within((cover_t *)G.cover, request)) {
|
|
+ if (cover_within((cover_t *)G.cover, (bound_t)request)) {
|
|
Info(slide, 0x401, ((char *)slide,
|
|
LoadFarString(OverlappedComponents)));
|
|
return PK_BOMB;
|