xref: /OK3568_Linux_fs/yocto/poky/meta/recipes-extended/unzip/unzip/CVE-2021-4217.patch (revision 4882a59341e53eb6f0b4789bf948001014eff981) 
1From 731d698377dbd1f5b1b90efeb8094602ed59fc40 Mon Sep 17 00:00:00 2001
2From: Nils Bars <nils.bars@t-online.de>
3Date: Mon, 17 Jan 2022 16:53:16 +0000
4Subject: [PATCH] Fix null pointer dereference and use of uninitialized data
5
6This fixes a bug that causes use of uninitialized heap data if `readbuf` fails
7to read as many bytes as indicated by the extra field length attribute.
8Furthermore, this fixes a null pointer dereference if an archive contains an
9`EF_UNIPATH` extra field but does not have a filename set.
10---
11 fileio.c  | 5 ++++-
12 process.c | 6 +++++-
13 2 files changed, 9 insertions(+), 2 deletions(-)
14---
15
16Patch from:
17https://bugs.launchpad.net/ubuntu/+source/unzip/+bug/1957077
18https://launchpadlibrarian.net/580782282/0001-Fix-null-pointer-dereference-and-use-of-uninitialized-data.patch
19Regenerated to apply without offsets.
20
21CVE: CVE-2021-4217
22
23Upstream-Status: Inactive-Upstream [infozip upstream inactive]
24
25Signed-off-by: Joe Slater <joe.slater@windriver.com>
26
27
28diff --git a/fileio.c b/fileio.c
29index 14460f3..1dc319e 100644
30--- a/fileio.c
31+++ b/fileio.c
32@@ -2301,8 +2301,11 @@ int do_string(__G__ length, option)   /* return PK-type error code */
33             seek_zipf(__G__ G.cur_zipfile_bufstart - G.extra_bytes +
34                       (G.inptr-G.inbuf) + length);
35         } else {
36-            if (readbuf(__G__ (char *)G.extra_field, length) == 0)
37+            unsigned bytes_read = readbuf(__G__ (char *)G.extra_field, length);
38+            if (bytes_read == 0)
39                 return PK_EOF;
40+            if (bytes_read != length)
41+                return PK_ERR;
42             /* Looks like here is where extra fields are read */
43             if (getZip64Data(__G__ G.extra_field, length) != PK_COOL)
44             {
45diff --git a/process.c b/process.c
46index 5f8f6c6..de843a5 100644
47--- a/process.c
48+++ b/process.c
49@@ -2058,10 +2058,14 @@ int getUnicodeData(__G__ ef_buf, ef_len)
50           G.unipath_checksum = makelong(offset + ef_buf);
51           offset += 4;
52
53+          if (!G.filename_full) {
54+            /* Check if we have a unicode extra section but no filename set */
55+            return PK_ERR;
56+          }
57+
58           /*
59            * Compute 32-bit crc
60            */
61-
62           chksum = crc32(chksum, (uch *)(G.filename_full),
63                          strlen(G.filename_full));
64
65--
662.32.0
67
68